[英]Azure IMDS: firewall rules to give access only to local system admin to get managed identity token
We have our application running on an Azure VM.我们的应用程序在 Azure VM 上运行。 this application has three windows services that queries a sql managed instance using a user-managed identity.
此应用程序具有三个 Windows 服务,它们使用用户管理的身份查询 sql 托管实例。 These services run as local system account.
这些服务作为本地系统帐户运行。
Now, we want to make sure that only these services which are part of our application can query the sql managed instance and other applications running on that VM should not have access to the sql managed instance.现在,我们要确保只有属于我们应用程序的这些服务才能查询 sql 托管实例,并且在该 VM 上运行的其他应用程序不应访问 sql 托管实例。 I found that we need to create fire wall rules for the Azure IMDS.
我发现我们需要为 Azure IMDS 创建防火墙规则。 I want to know how to create firewall rule that only provides access to local system account to query the IMDS?
我想知道如何创建仅提供访问本地系统帐户以查询 IMDS 的防火墙规则?
The exact details will vary depending on the firewall you are using, but in general yes you can use the in guest firewall to restrict access to IMDS.确切的细节会因您使用的防火墙而异,但通常是的,您可以使用来宾防火墙来限制对 IMDS 的访问。 In fact, there is another service using the IP 168.63.129.16 that by default in Azure images is only accessible by admin processes via a firewall restriction.
事实上,还有另一个使用 IP 168.63.129.16 的服务,在 Azure 映像中默认情况下只能由管理员进程通过防火墙限制访问。
I'm not familiar with authoring Windows firewall rules, but I would suggest looking them up broadly ("Restrict IP access to admin only" or something to that effect) or trying to copy whatever the rule looks like for that other Azure service.我不熟悉编写 Windows 防火墙规则,但我建议广泛查找它们(“仅限制对管理员的 IP 访问”或类似的内容)或尝试复制其他 Azure 服务的规则。
A couple things to note as you go through this process:在完成此过程时需要注意以下几点:
In summary, you can do this.总之,你可以做到这一点。 There are many things hosted on Azure that do, but there are many pitfalls both in terms of security and availability.
Azure 上托管了很多东西,但在安全性和可用性方面都存在许多缺陷。 Just make sure you're treating it with due diligence.
只要确保您以尽职调查的方式对待它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.