Azure IMDS:防火墙规则仅授予本地系统管理员访问权限以获取托管标识令牌
[英]Azure IMDS: firewall rules to give access only to local system admin to get managed identity token
问题描述
We have our application running on an Azure VM.
我们的应用程序在 Azure VM 上运行。 this application has three windows services that queries a sql managed instance using a user-managed identity.此应用程序具有三个 Windows 服务,它们使用用户管理的身份查询 sql 托管实例。 These services run as local system account.这些服务作为本地系统帐户运行。
Now, we want to make sure that only these services which are part of our application can query the sql managed instance and other applications running on that VM should not have access to the sql managed instance.现在,我们要确保只有属于我们应用程序的这些服务才能查询 sql 托管实例,并且在该 VM 上运行的其他应用程序不应访问 sql 托管实例。 I found that we need to create fire wall rules for the Azure IMDS.我发现我们需要为 Azure IMDS 创建防火墙规则。 I want to know how to create firewall rule that only provides access to local system account to query the IMDS?我想知道如何创建仅提供访问本地系统帐户以查询 IMDS 的防火墙规则?
1 个解决方案
解决方案1
0 2022-06-22 18:26:02
The exact details will vary depending on the firewall you are using, but in general yes you can use the in guest firewall to restrict access to IMDS.确切的细节会因您使用的防火墙而异,但通常是的,您可以使用来宾防火墙来限制对 IMDS 的访问。 In fact, there is another service using the IP 168.63.129.16 that by default in Azure images is only accessible by admin processes via a firewall restriction.事实上,还有另一个使用 IP 168.63.129.16 的服务,在 Azure 映像中默认情况下只能由管理员进程通过防火墙限制访问。
I'm not familiar with authoring Windows firewall rules, but I would suggest looking them up broadly ("Restrict IP access to admin only" or something to that effect) or trying to copy whatever the rule looks like for that other Azure service.我不熟悉编写 Windows 防火墙规则,但我建议广泛查找它们(“仅限制对管理员的 IP 访问”或类似的内容)或尝试复制其他 Azure 服务的规则。
A couple things to note as you go through this process:在完成此过程时需要注意以下几点:
- Firewalls are an extremely fragile way to gate access to this resource.防火墙是一种非常脆弱的方式来控制对该资源的访问。 It can be done but it's also very easy to mess up.可以做到,但也很容易搞砸。 Exploits have been found in workloads that don't do it properly.在未正确执行的工作负载中发现了漏洞。 You have to consider all lifecycle chains as the access defaults to open, and it's easy to unintentionally bypass the firewall in workloads such as nested virtualization.您必须将所有生命周期链视为默认打开的访问,并且在嵌套虚拟化等工作负载中很容易无意中绕过防火墙。 If this is all defense in depth, it's less of an issue.如果这都是纵深防御,那就不是问题了。 If you're aiming to run untrusted code in your VM, you need to be extremely careful and do threat modeling to have any degree of confidence in this solution.如果您的目标是在您的 VM 中运行不受信任的代码,则需要非常小心并进行威胁建模,以便对该解决方案有任何程度的信心。
- The IMDS IP routing is "magic" since it's an unrouteable IP address. IMDS IP 路由是“神奇的”,因为它是一个无法路由的 IP 地址。 You are trying to change access to a rule that Azure will attempt to manage for you at provision time, so you can run into conflicts.您正在尝试更改对 Azure 将在配置时尝试为您管理的规则的访问权限,因此您可能会遇到冲突。 If you mess up the rule, IMDS will become entirely inaccessible.如果你搞砸了规则,IMDS 将变得完全无法访问。 Consider adding an additional, more restrictive rule rather than trying to edit the one Azure creates for you.考虑添加一个额外的、更具限制性的规则,而不是尝试编辑 Azure 为你创建的规则。
In summary, you can do this.总之,你可以做到这一点。 There are many things hosted on Azure that do, but there are many pitfalls both in terms of security and availability. Azure 上托管了很多东西,但在安全性和可用性方面都存在许多缺陷。 Just make sure you're treating it with due diligence.只要确保您以尽职调查的方式对待它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.