I have an Azure cloud service and a Azure Kubernetes Service(AKS). AKS is within a NSG. I would like to create rules in network security group(NSG) to restrict inbound traffic from only the specific cloud service.
Since cloud service IP could change, I would not be able to base the NSG rules on IP. Also, I do not see cloud service in the azure service tags list in NSG.
How do I achieve this NSG rules configuration ?
It seems that you want to restrict inbound traffic from only the specific cloud service to AKS. Conversely, you can add inbound rules to allow the traffic that you want to access to AKS, Then the traffic you have not added the allowing rule will be denied since there is a DenyAllInBound inbound rule in each NSG. The traffic filters according to the priority. (High priority is small value) in the inbound rule.
Update
If you only allow one specific cloud service in the inbound traffic, you just set the source to the specific IP address in the inbound rule of yours NSG. The assigned IP address for the cloud service doesn't change unless you stop and restart provision of the service. If you ensure to know the fixed IP address in your subscription even if you deprovision and reprovision, you can use a Reserved IP address for Cloud Services. Ref: Static IP for Cloud Service on Azure
Reserved IP addresses (Classic)
Related
In the documentation for Azure ContainerApps Ports and IP Addresses section it indicates that the
Outbound public IP
Used as the "from" IP for outbound connections that leave the virtual network. These
connections aren't routed down a VPN. Using a NAT gateway or other proxy for outbound
traffic from a Container App environment isn't supported. Outbound IPs aren't guaranteed
and may change over time.
The inbound IP for a ContainerApps Environment is fixed. Azure Container Instances (not ContainerApps) on the other hand seem to have documented capability to configure a static outbound IP via NAT Gateway.
Is there a way to configure a static outbound IP for Azure ContainerApps as well?
If not, which alternate deployment models for a long-running background service are recommended? The requirement is that an external service can count on a fixed outbound IP (or very small range, not the entire DataCenter IP ranges) for whitelisting.
** EDIT - It seems that NAT on VNet is not yet supported on ACA - https://github.com/microsoft/azure-container-apps/issues/522
way to configure a static outbound IP for Azure ContainerApps as well?
No, we can't configure outbound public IP via container apps; that information is there in the official documentation documentation itself.
try this out, Create outbound application rule on the firewall
using below command
az network firewall application-rule create
It will create an outbound rule on the firewall. This rule allows access from the subnet to Azure Container Instances.
HTTP access to the site will configure through egress IP address from Azure Container Instances.
i have found one blog refer this
I have created the following Vnets
vnet-hub-poc-hubspoke is the Hub Vnet
and both the Vnets are peered as per the HUB-SPOKE model
vnet-hub-poc-hubspoke being a Hub Vnet, it has Azure firewall configured
both the Vnets are connected to Azure Private DNS
Azure Private DNS has a record pointing to the VM deployed on the vnet-prod-poc-hubspoke Vnet
and I could access the FQDN within the internal network
after adding the below rule in Azure Firewall, I could access the website using the firewall public IP
Now, instead of firewall public IP I want to use the domain name like
http://myfirstweb.private.landingzonedomain.com/ (for now, I have updated the hosts file in the client machine pointing to firewall public IP)
what should I do at the azure firewall level so that it would translate Internet URL to Internal/Intranet URL like
http://myfirstweb.private.landingzonedomain.local/
What you want is not possible, because you cannot assign a domain name to your Azure Firewall. What you could do is to create a DNS record at a domain name provider that translates a custom domain to your Azure firewall public IP.
Although I have seen people routing inbound traffic in their vnet, Azure firewall is mainly designed for controlling outbound traffic and traffic flowing between (peered) vnets. When you want to direct inbound traffic to a website or service inside your vnet, you can choose between:
Application Gateway
Frontdoor
Combination of both
All the options above allow you to add custom domains and certificates. On the other hand, when you want to access a virtual machine through rdp or ssh, your main options are:
Bastion host (i.e. jumpbox)
VPN
Cloud Shell
I am running a Linux container as a web app in an internal ASE.
The ASE is deployed to a Vnet (secondary Vnet) which is peered to a another Vnet(Primary vnet) where an Azure firewall exists.
1.I have Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet.
2.From the Azure Firewall UI > Rules > Application rule collection, Set App Service Environment FQDN Tag and the Windows Update Tag.
3.From the Azure Firewall UI > Rules > Network rule collection, Set the ports to 123.Create another rule the same way to port 12000 to help triage any system issues.
4.Create a route table with the management addresses from App Service Environment management addresses with a next hop of Internet, set 0.0.0.0/0 directed to the network appliance ( Firewall internal IP address)
5.Create Application rules to allow HTTP/HTTPS traffic (Note: address is the IP of the ILB of the Internal ASE, since I cant find an IP for the web app itself)
I don't seem to be able to reach the web app. Any guidance will be appreciated. is the problem that I created an Internal ASE?
I am trying to isolate the ISE and control external access to it via a firewall.
MSDocs I referenced :https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration
Yes, I think it's the problem with internal ASE. Also, the referring document is intended to lock down all egress from the ASE VNet. Inbound management traffic for an ASE can not be sent through a firewall device.
There are a number of inbound dependencies that an ASE has. The
inbound management traffic cannot be sent through a firewall device.
The source addresses for this traffic are known and are published in
the App Service Environment management addresses document. You can
create Network Security Group rules with that information to secure
inbound traffic.
In addition, since it's an internal ASE, it is deployed in your VNet with ILB. You can not directly access its backend web app over the Internet, you need at least a public-facing Ip address (external VIP )or other public-facing services(Public Azure application gateway) in front of it.
It will like this,
I have an ILB ASE v2 with WAF (public IP). The ASE has its subnet where all web apps reside. For obvious security reasons I think I need to lock down access from Internet and leave only HTTPS open. But when I do that I can't see app services info in the portal. So what should my NSG look like for this subnet?
Also, WAF has its own subnet. It doesn't have NSG assigned either. Should it have one?
When you add a NSG to the AppSercice subnet with Deny All internet traffic, it is blocking the portal to fetch information from App Device. Try adding a NSG rule with greater priority with source IP as Azure Cloud tag and allow it.
So you are blocking all Internet traffic and allowing Azure IPs for communication.
Let me know if it works.
Here's the resulting rules set for ASE subnet NSG:
you might want to add HTTP to it if you need it.
I have provisioned App Gateway with WAF V2 SKU. Then, I have configured back-end pool to point to WebApp and added IP restrictions to allow only traffic from WAF IP. Then, i am attempting to add NSG to the provisioned Subnet to further restrict traffic to the Frontend IP address. I am getting an error (see below). Per Application Gateway FAQ this should be possible, but having trouble. Here is are the details of the deployment error:
Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
The error message displays that you need to add incoming internet traffic on ports 65200 - 65535 to subnet-default in your Network security group-BannerCIDRNsg.
Per Application Gateway FAQ, you can whitelist Application Gateway access to a few source IPs.
This scenario can be done using NSGs on Application Gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:
Allow incoming traffic from source IP/IP range.
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and
inbound virtual network traffic (VirtualNetwork tag) on the NSG.
Block all other incoming traffic with a Deny all rule.
Allow outbound traffic to the internet for all destinations.
I want to add on #Nancy's answer, that actually, as per the documentation, there is no need to allow traffic from Any protocol. Allowing TCP traffic is enough.
There is also no need to allow traffic from Any source, it is sufficient to allow traffic from GatewayManager service tag.
You must allow incoming Internet traffic on TCP ports 65503-65534 for
the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2
SKU with the destination subnet as Any and source as GatewayManager
service tag. This port range is required for Azure infrastructure
communication.
So, I created the security rule as follows:
It should also be noted that:
These ports are protected (locked down) by Azure
certificates. External entities, including the customers of those
gateways, can't communicate on these endpoints.
I was getting the error message "Subnet associated to gateway with v2 sku" when trying to associate a subnet containing a Gateway V2 WAF to an existing NSG.
Strangely though it was no problem navigating to the VNET -> SubNet and after clicking the given SubNet then associating the NSG to that SubNet.
To associate NSG to the subnet containing an application gateway, allow traffic from
source: 'GatewayManager', port: Any to Destination: 'GatewayManager' service tag, Destination port: 65503-65534
Traffic from the AzureLoadBalancer tag with the destination subnet as Any must be allowed.
Note: just be cautious that you don't add deny rule before these inbound rules, so give them a low priority no, to avoid accidental misconfiguration
Also,
Outbound Internet connectivity can't be blocked
Reference : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups