简体繁体 English

应用网关受IP限制

[英]Application Gateway restrict by IP

原文 2017-05-17 10:32:52 0 2 azure/ azure-application-gateway

We have a cluster of VM in azure exposing some internal API's.我们有一个 azure 的 VM 集群，暴露了一些内部 API。 To do more secure we are using Application Gateway to have ssl offload.为了更安全，我们使用应用程序网关来卸载 ssl。 But also we would like to restrict the external IP's that can access to this API's.但我们也想限制可以访问此 API 的外部 IP。 Is there a way to allow only a range of IP's to connect through and Application Gateway?有没有办法只允许一定范围的 IP 通过应用程序网关连接？

Thanks.谢谢。

2 个解决方案

Q. Are Network Security Groups supported on the Application Gateway subnet?问：应用程序网关子网是否支持网络安全组？
Network Security Groups are supported on the Application Gateway subnet, but exceptions must be put in for ports 65503-65534 for backend health to work correctly.应用程序网关子网支持网络安全组，但必须为端口 65503-65534 设置例外，以便后端运行正常。 Outbound internet connectivity should not be blocked.不应阻止出站互联网连接。

So just create a network security group on the subnet of the NSG and restrict IP's.因此，只需在 NSG 的子网上创建一个网络安全组并限制 IP。 Network security group is basically a firewall.网络安全组基本上是一个防火墙。
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

I will add, for those seeing this question in 2020, that the port range is different for the V1 sku compared to V2 application gateway sku.对于那些在 2020 年看到此问题的人，我要补充一点，与V2应用程序网关 sku 相比， V1 sku 的端口范围是不同的。

If you wish to add a Network Security Group to the subnet which your application gateway resides, you'll need to permit all inbound traffic for the following port ranges:如果您希望向应用程序网关所在的子网添加网络安全组，则需要允许以下端口范围的所有入站流量：

V1: 65503-65534 V1： 65503-65534

V2: 65200-65535 V2： 65200-65535

For reference, the Azure Portal will throw the following error if you attempt to assign a NSG to the application gateway subnet, without first permitting the required port ranges (my details have been removed).作为参考，如果您尝试将 NSG 分配给应用程序网关子网，而没有首先允许所需的端口范围（我的详细信息已被删除），Azure 门户将引发以下错误。

Failed to save subnet 'xxxxxxxxxx'.未能保存子网“xxxxxxxxxx”。 Error: 'Network security group xxxxxxxxxx/providers/Microsoft.Network/networkSecurityGroups/'.错误：“网络安全组 xxxxxxxxxx/providers/Microsoft.Network/networkSecurityGroups/”。 xxxxxxxxxx blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx/subnets/xxxxxxxxxx, associated with Application Gateway /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/applicationGateways/xxxxxxxxxx. xxxxxxxxxx 阻止端口 65200 - 65535 上的传入 Internet 流量到子网 /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx/subnets/xxxxxxxxxx，与应用程序网关 /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/关联Microsoft.Network/applicationGateways/xxxxxxxxxx。 This is not permitted for Application Gateways that have V2 Sku.'具有 V2 Sku 的应用程序网关不允许这样做。

General instructions:一般说明：

Create your Network Security Group.创建您的网络安全组。 Ensure you create two incoming rules -- (1) to allow all incoming traffic for the applicable port range as defined above, and (2) to allow your necessary application ports, such as 80 and 443 , which are standard HTTP and HTTPS traffic ports.确保创建两个传入规则——(1) 允许上述适用端口范围的所有传入流量，以及 (2) 允许必要的应用程序端口，例如80和443 ，它们是标准 HTTP 和 HTTPS 流量端口. This of course, should match whatever rule/listener configuration you have on your application gateway.当然，这应该与您在应用程序网关上的任何规则/侦听器配置相匹配。
From the Virtual Networks blade, select your applicable virtual network, then choose Subnets from the sidebar.从虚拟网络边栏选项卡中，选择适用的虚拟网络，然后从侧栏中选择子网。 Then, select your applicable subnet and a configuration panel should appear, which will allow you to assign your NSG to your subnet.然后，选择适用的子网，应该会出现一个配置面板，它允许您将 NSG 分配给您的子网。

I'll further call attention to a couple tips that might help.我将进一步提请注意一些可能有帮助的提示。

For the purpose of managing public IP traffic, applying a Network Security Group to the virtual machines defined in your backend pool(s), will not work.为了管理公共 IP 流量，将网络安全组应用于后端池中定义的虚拟机将不起作用。 Traffic routed to your VM's comes from your application gateway, which will of course, be the IP's of the instances associated with your application gateway, and not the public facing client IPs you're likely trying to target.路由到您的 VM 的流量来自您的应用程序网关，这当然是与您的应用程序网关关联的实例的 IP，而不是您可能尝试定位的面向公众的客户端 IP。
If you're testing a policy, perhaps with your own public IP, its important to note that this will not be reflected if you are trying to access your application from an existing browser session.如果您正在测试一项策略，也许使用您自己的公共 IP，请务必注意，如果您尝试从现有浏览器会话访问您的应用程序，则不会反映这一点。 Calls will continue to work until you either completely close your browser, or otherwise use incognito.在您完全关闭浏览器或以其他方式使用隐身模式之前，通话将继续有效。
Assigning a Network Security Group to your application gateway can be performed safely, as it will not cause downtime (unless you forget to create your inbound application rules).可以安全地为您的应用程序网关分配网络安全组，因为它不会导致停机（除非您忘记创建入站应用程序规则）。