I implemented an aks cluster with firewall on azure, I used this documentation:
But my application needs to install some services, like istio. However as the firewall is blocking the installation, I believe I need to create a rule to allow istio.
How do i set this rule? What would the address be?
Related
I want to know what are the only-needed subdomain URLs by an azure-agent software when used to run to register a VM as an azure-devops environment resource
the URLs found here are generic, and does not meet a least-privileged practice:
Running agent behind a firewall or a proxy
If you want to install self-hosted agent or set up VM type env resource on a VM which is secured with a firewall or proxy server, you need add the domain URL "https://vstsagentpackage.azureedge.net" into the allowlist at least.
However, since different resources on Azure DevOps could be hosted on difference domain URLs or IP ranges, when you run pipeline jobs on the self-hosted agent to access these resources, you also need to add all the related domain URLs or IP ranges into the allowlist.
For more details, you can reference the document "Allowed IP addresses and domain URLs".
I've got an azure sftp container instance properly set up finally but I ran into a wall while configuring security for it (much like the person here).
My basic flow is this:
PIP on Azure ->
-> Load balancer using PIP to be reached by the wider web ->
-> Load balancing rule to backend subnet ->
-> SFTP container group living on that subnet ->
-> SFTP container in that group
Nothing special and I verified before associating the NSG that the network is operating as intended. Connection to the SFTP server is functioning properly. The problem is, after associating the NSG with the container group's subnet, I was still able to connect to it without any configured rules. Even after applying a rule # priority 100 to deny all traffic, to rule out something I may miss from the default rules, I can still get in.
After reading how NSG flow logs don't include container instances, I'm torn between believing users have NSGs working with container groups but are missing logs, and the possibility that NSGs don't work with container groups at all. If anyone has any guidance on properly using NSGs here, please let me know. Otherwise, if there's another tool I should be using, please recommend it (Azure Firewall is included in the container group tutorial, but I believe completely overkill for what I need and also prohibitively expensive).
EDIT: Adding picture of NSG rules -
After my validation, currently, the NSG associated with the ACI subnet does not work in this scenario for the SFTP container service behind an Azure load balancer. This NSG rule does not block the client's public IP address and it works like without it.
As a workaround, you could restrict the SFTP access with NGINX reverse proxy like this blog or add a service like Azure Application gateway reverse proxy to direct your public-facing traffic to your backend instance.
I want to enable traffic from my webapp (that sits inside the VNET and has its private IP) to Application Gateway (that is deployed to the same VNET and has NSG attached to its subnet).
How can I do it?
If I add webapp outbound ip to NSG as allowed - traffic works fine, but I do not want to hardcode this ip.
If I add "Internet" service tag it works as well, but it is too broad for my taste.
I could not find any other relevant service tags for me (tried "AppServiceManager", "AppService" and "AppService.AustraliaEast").
Also checked this document (and had to update the filename to last Monday! :) ) but could not find the IP that worked for me (52.187.231.76).
Ideal solution would be to allow only VNET traffic, but this did not do the trick as well... All ServiceEndpoints are there.
Checked with Azure support. Unfortunately there is no service tags available to do this yet.
Workaround - to manually add security rules for each application that supposed to access Application Gateway to allow Outbound IPs.
To do so - go to azure portal, to the application that needs to be able to access App GW. Go to properties blade and copy Outbound IP addresses. Then go to NSG and create a new inbound security rule to allow access from all of those IPs (at least it can be 1 rule).
According to Azure support those IPs should not change unless you recreate the whole webapp and the app can only cycle through those IPs.
I have set up a Virtual Network with an Application Gateway (which has both DDoS Protection and Firewall enabled). The Application Gateway forward the requests to a WebApp. There are no other components in the Virtual Network.
I also see that there is a Firewall on the Virtual Network as well. When I enable it, it asked that I need to create a subnet called AzureFirewallSubnet.
My question is, do I need to enable this firewall? does it make any difference to my scenario?
Thanks.
My scenario is similar to .
No firewall in Azure can block traffic to a webapp (unless you are using App Service Environment), you need to use web.config for that.
So no, you do not need Azure Firewall in this scenario.
I've been trying to setup my Azure Network security group to accept connections to my Octopus Tentacle, but with no success.
I know the Tentacle is properly working because I can connect using localhost, all that's left is to be externally available.
Could anyone shine a light on the necessary rules at the Network security group? Find below my own rules.
Kind regards and thanks in advance!
Open Windows Firewall on your VM. And add an allowed access for
"10933" TCP port. (10933 the default port between Octopus server and tentacle)
If your Octopus Server and tentacle are not on the same Azure
resources and still couldn't telnet the Tentacle, You must add an "Inbound
security rule" for the same 10933 TCP port which used by your VM's
network security group.
Optional:You should give a static IP and domain name to your VM on Azure. Your Network admin should configure it a IP restricted access.
For testing the connectivity. You should use "telnet client". Open cmd and write this. If there is no connection error/timeout it's working .
telnet yourtentaclesextrenalIPaddress 10933
You should add the endpoint and firewall settings on your virtual machine firewall (not the Azure you mentioned). This is the official tutorial on how to set up the Tentacle. Also take a look if your OS you want to launch Tentacle on is supported (the same link).