Azure NSG 私有 IP 配置(白名单)Vnet 到 Vnet 通信
[英]Azure NSG Private IP Congfiguration (WhiteList)Vnet to Vnet communication
问题描述
I have situation where I want to open my Vnet(lets say Vnet1) for other Vnets (which has private IP range defined ), I am thinking to use NSG rules and allow private IP ranges of other Vnets (lets say Vnet2, Vnet3) to this entry point Subnet(in Vnet1) which host my API gateway.
我有一种情况,我想为其他 Vnet(定义了私有 IP 范围)打开我的 Vnet(比如说 Vnet1),我正在考虑使用 NSG 规则并允许其他 Vnet 的私有 IP 范围(比如说 Vnet2、Vnet3)这个入口点子网(在 Vnet1 中)托管我的 API 网关。 I have two questions:我有两个问题:
I assume it should be feasible using private IP addresses and allowing them using NSG (of Vnet 1/Subnet 1)?
我认为使用私有 IP 地址并允许它们使用 NSG(Vnet 1/子网 1)应该是可行的? I am not looking for peering/s2s vpn of Vnet as both belongs to separate teams and Vnet2/Vnet3 just wanted to access APis of Vnet1 using Api gateway.我不是在寻找 Vnet 的对等/s2s vpn,因为它们都属于不同的团队,而 Vnet2/Vnet3 只是想使用 Api 网关访问 Vnet1 的 API。Is there any security issues which we foresee, I assume it safe to expose since these are private IPs and can not be accesses from internet.
是否有我们预见到的任何安全问题,我认为暴露是安全的,因为这些是私有 IP,不能从互联网访问。
Please let me know opinion on feasibility and security.请让我知道关于可行性和安全性的意见。
Thanks Xslguy谢谢 Xslguy
1 个解决方案
解决方案1
1 已采纳 2021-04-06 09:28:16
To help others who might find the same scenario, just extract the useful information in the comment and write my answer.为了帮助可能找到相同场景的其他人,只需在评论中提取有用信息并写下我的答案。
An Azure VNet is a logical isolation of Azure cloud dedication to your subscription. Azure VNet 是 Azure 云专用于您的订阅的逻辑隔离。 VNet peering allows traffic between two VNets is routed through Microsoft's private network only. VNet 对等互连允许两个 VNet 之间的流量仅通过 Microsoft 的专用网络进行路由。 If the VNETs haven't peered, vnet1 will not connect to resources in vnet2 by using private IP but using the public IP of the resources in vnet2.如果 VNET 没有对等互连,则 vnet1 将不会使用私有 IP 连接到 vnet2 中的资源,而是使用 vnet2 中资源的公共 IP 连接到资源。 In this case, we need to restrict the source public IP for the inbound rules in the NSG attached to the subnet.在这种情况下,我们需要为附加到子网的 NSG 中的入站规则限制源公共 IP。 With VNet peering, you also could restrict the access from one subnet to another subnet by using source private IP for the inbound rules in the NSG attached to the subnet.通过 VNet 对等互连,您还可以将源私有 IP 用于附加到子网的 NSG 中的入站规则,从而限制从一个子网到另一个子网的访问。
From Security rules :从安全规则:
If you specify an address for an Azure resource, specify the private IP address assigned to the resource.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.