[英]Application Gateway restrict by IP
We have a cluster of VM in azure exposing some internal API's.我们有一个 azure 的 VM 集群,暴露了一些内部 API。 To do more secure we are using Application Gateway to have ssl offload.
为了更安全,我们使用应用程序网关来卸载 ssl。 But also we would like to restrict the external IP's that can access to this API's.
但我们也想限制可以访问此 API 的外部 IP。 Is there a way to allow only a range of IP's to connect through and Application Gateway?
有没有办法只允许一定范围的 IP 通过应用程序网关连接?
Thanks.谢谢。
Q. Are Network Security Groups supported on the Application Gateway subnet?问:应用程序网关子网是否支持网络安全组?
Network Security Groups are supported on the Application Gateway subnet, but exceptions must be put in for ports 65503-65534 for backend health to work correctly.应用程序网关子网支持网络安全组,但必须为端口 65503-65534 设置例外,以便后端运行正常。 Outbound internet connectivity should not be blocked.
不应阻止出站互联网连接。
So just create a network security group on the subnet of the NSG and restrict IP's.因此,只需在 NSG 的子网上创建一个网络安全组并限制 IP。 Network security group is basically a firewall.
网络安全组基本上是一个防火墙。
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
I will add, for those seeing this question in 2020, that the port range is different for the V1 sku compared to V2 application gateway sku.对于那些在 2020 年看到此问题的人,我要补充一点,与V2应用程序网关 sku 相比, V1 sku 的端口范围是不同的。
If you wish to add a Network Security Group to the subnet which your application gateway resides, you'll need to permit all inbound traffic for the following port ranges:如果您希望向应用程序网关所在的子网添加网络安全组,则需要允许以下端口范围的所有入站流量:
V1: 65503-65534
V1:
65503-65534
V2: 65200-65535
V2:
65200-65535
For reference, the Azure Portal will throw the following error if you attempt to assign a NSG to the application gateway subnet, without first permitting the required port ranges (my details have been removed).作为参考,如果您尝试将 NSG 分配给应用程序网关子网,而没有首先允许所需的端口范围(我的详细信息已被删除),Azure 门户将引发以下错误。
Failed to save subnet 'xxxxxxxxxx'.
未能保存子网“xxxxxxxxxx”。 Error: 'Network security group xxxxxxxxxx/providers/Microsoft.Network/networkSecurityGroups/'.
错误:“网络安全组 xxxxxxxxxx/providers/Microsoft.Network/networkSecurityGroups/”。 xxxxxxxxxx blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx/subnets/xxxxxxxxxx, associated with Application Gateway /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/applicationGateways/xxxxxxxxxx.
xxxxxxxxxx 阻止端口 65200 - 65535 上的传入 Internet 流量到子网 /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxx/subnets/xxxxxxxxxx,与应用程序网关 /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/关联Microsoft.Network/applicationGateways/xxxxxxxxxx。 This is not permitted for Application Gateways that have V2 Sku.'
具有 V2 Sku 的应用程序网关不允许这样做。
General instructions:一般说明:
80
and 443
, which are standard HTTP and HTTPS traffic ports.80
和443
,它们是标准 HTTP 和 HTTPS 流量端口. This of course, should match whatever rule/listener configuration you have on your application gateway. I'll further call attention to a couple tips that might help.我将进一步提请注意一些可能有帮助的提示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.