[英]Restrict inbound traffic to only come through Azure Load Balancer
Please can someone advise how to restrict access on port 80/443 to some Azure VMs, so that they can only be access via the public IP Address that is associated to an Azure Load Balancer.请有人建议如何将端口 80/443 上的访问限制为某些 Azure VM,以便它们只能通过与 Z3A580F142203677F1F0BC3598 关联的公共 IP 地址进行访问。
Our current setup has load balancing rules passing through traffic from public IP on 80=>80 and 443=>443, to back end pool of 2 VMs.我们当前的设置具有负载平衡规则,通过来自 80=>80 和 443=>443 上的公共 IP 的流量,到 2 个 VM 的后端池。 We have health probe setup on port 80. Session persistence is set to client IP and floating IP is disabled.
我们在端口 80 上设置了运行状况探测。Session 持久性设置为客户端 IP 并禁用浮动 IP。
I thought the answer was to deny access (via Network Security Group) to internet (service tag) on 80/443.我认为答案是拒绝(通过网络安全组)在 80/443 上访问互联网(服务标签)。 Then add rule to allow service tag (AzureLoadBalancer) on the same ports.
然后添加规则以允许相同端口上的服务标记 (AzureLoadBalancer)。 But that didnt seem to have an effect.
但这似乎没有效果。 Having read up a little more on this, it seems the AzureLoadBalancer tag is only to allow the health probe access and not specifically inbound traffic from that load balancer.
对此进行了更多阅读后,似乎 AzureLoadBalancer 标记仅允许运行状况探测访问,而不是专门用于来自该负载均衡器的入站流量。
I have also tried adding rules to allow the public IP address of the load balancer, but again no effect.我也尝试添加规则以允许负载均衡器的公共 IP 地址,但同样没有效果。
I was wondering if I need to start looking into Azure Firewalls?我想知道是否需要开始研究 Azure 防火墙? and somehow restrict access to inbound traffic that comes through that?
并以某种方式限制对通过它的入站流量的访问?
The only way I can get the VMs to respond on those ports is to add rules to allowing 80/443 from any to any....我可以让虚拟机在这些端口上做出响应的唯一方法是添加规则以允许从任何到任何的 80/443....
After reading your question, my understanding is that you have a Public load balancer and the backend VMs also have instance level Public IPs associated with them and hence direct inbound access to the VMs is possible.阅读您的问题后,我的理解是您有一个公共负载均衡器,并且后端虚拟机也有与之关联的实例级公共 IP,因此可以直接入站访问虚拟机。 But you would like to make sure that the direct inbound access to VMs is restricted only via the load balancer.
但是您希望确保仅通过负载均衡器限制对 VM 的直接入站访问。
The simple solution for you to achieve this is by disassociating the instance level public IP of the VMs, this will make the LB public IP as the only point of contact for your VMs.实现此目的的简单解决方案是取消 VM 的实例级公共 IP 的关联,这将使 LB 公共 IP 作为 VM 的唯一联系点。 Keep in mind that the LB is not a proxy, it is just a layer 4 resource to forward traffic, therefore, your backend VM will still see source IP of the clients and not the LB IP, hence, you will still need to allow the traffic at the NSGs level using as source "Any".
请记住,LB 不是代理,它只是转发流量的第 4 层资源,因此,您的后端 VM 仍将看到客户端的源 IP 而不是 LB IP,因此,您仍然需要允许NSG 级别的流量使用“任何”作为源。
However, if your requirement is to enable outbound connectivity from Azure VMs while avoiding SNAT exhaustion, I would advise you to create NAT Gateway, where you can assign multiple Public IP address for SNAT and remove the Public IP from the VM.但是,如果您的要求是在避免 SNAT 耗尽的同时启用来自 Azure 虚拟机的出站连接,我建议您创建 NAT 网关,您可以在其中为 SNAT 分配多个公共 IP 地址,并从 Vm 中删除公共 ZA12A3079E14CED421AZBA9。 This setup will make sure that the inbound access is provided by the Public load balancer only and the outbound access is provided by the NAT gateway as shown below:
此设置将确保入站访问仅由公共负载均衡器提供,出站访问由 NAT 网关提供,如下所示:
Refer: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-standard-public-load-balancer参考: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-standard-public-load-balancer
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/tutorial-nat-gateway-load-balancer-public-portal https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/tutorial-nat-gateway-load-balancer-public-portal
You could also configure port forwarding in Azure Load Balancer for the RDP/SSH connections to individual instances.您还可以在 Azure 负载均衡器中配置端口转发,以实现与单个实例的 RDP/SSH 连接。 Refer: https://docs.microsoft.com/en-us/azure/load-balancer/manage#-add-an-inbound-nat-rule
参考: https://docs.microsoft.com/en-us/azure/load-balancer/manage#-add-an-inbound-nat-rule
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.