[英]Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual machine?
I want to allow inbound traffic from ddns name for my dynamic public IP to avoid changing security rules all time when my public IP is changing.我想为我的动态公共 IP 允许来自 ddns 名称的入站流量,以避免在我的公共 IP 发生变化时始终更改安全规则。 Is there any way to insert a domain name (not IP address) into the networking rule?
有没有办法在网络规则中插入域名(不是 IP 地址)? Right now I am unable to find any solution to do this.
现在我无法找到任何解决方案来做到这一点。 Many thanks
非常感谢
If you mean if this is possible for Network Security Groups - No, it is not.如果您的意思是网络安全组是否可以这样做 - 不,不是。 NSGs do not have such a functionality.
NSG 没有这样的功能。
But if you are looking for a solution, you could probably automate this by using an Azure function/Automation Runbook但是,如果您正在寻找解决方案,您可以通过使用 Azure 函数/自动化运行手册来自动执行此操作
Let the Function/Runbook do a NSLOOKUP and then have the function update the NSG with the IP it gets from that result.让 Function/Runbook 执行 NSLOOKUP,然后让 function 使用从该结果中获得的 IP 更新 NSG。 Note that I use the word UPDATE and not add.
请注意,我使用 UPDATE 一词而不是添加。 :)
:)
EDIT: Going forward with Runbooks, as it is a bit smaller of a step for things to (want to) understand: https://azure.microsoft.com/nl-nl/blog/azure-automation-runbook-management/编辑:继续使用 Runbook,因为对于(想要)理解的事情来说,这一步要小一些: https://azure.microsoft.com/nl-nl/blog/azure-automation-runbook-management/
When you create the Automation Account, create it with a system identity.创建自动化帐户时,请使用系统标识创建它。 After it is created, it will provide you with two default runbooks which already contain some code.
创建后,它将为您提供两个已包含一些代码的默认运行手册。 The sample code provides you with the way to authenticate from the runbook against Azure.
示例代码为您提供了针对 Azure 从运行手册进行身份验证的方法。 So you can leave the first bit in the Runbook.
因此,您可以将第一位保留在 Runbook 中。
Then add whatever code you need below, example:然后在下面添加您需要的任何代码,例如:
#Example from here: https://tom-henderson.github.io/2016/09/14/azure-runbooks
$uri = '<DNS_ADDRESS_HERE>'
$ipaddress = [system.net.dns]::GetHostByName($uri).AddressList.IPAddressToString
#Now you need to grab the NSG which is providing whitelisting for your Azure Virtual Machine: https://docs.microsoft.com/en-us/powershell/module/az.network/get-aznetworksecuritygroup?view=azps-6.6.0
$nsg = get-aznetworksecuritygroup -ResourceGroupName '<RG_NAME_HERE>' -Name '<NSG_NAME_HERE>'
#Then update one of the rules: https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecurityruleconfig?view=azps-6.6.0
#I think with those two example pages you should get what you are looking for.
After you got the runbook working like you need it to, you put a schedule on it to run whenever or how often you want.让 Runbook 按您需要的方式工作后,您可以在上面设置一个时间表,以便在您想要的时间或频率上运行。
Now you also should give the Identity your Runbook has permissions to update the NSG.现在,您还应该为您的 Runbook 提供更新 NSG 的权限的身份。 Because otherwise it will just tell you it has insufficient permissions.
因为否则它只会告诉你它没有足够的权限。 Personally I prefer to make custom roles, so I can limit the permissions to what they need to be.
就我个人而言,我更喜欢制作自定义角色,因此我可以将权限限制为他们需要的权限。 In your case it might be easier to simply do:
在您的情况下,简单地执行以下操作可能更容易:
Create the role assignment.创建角色分配。 And you're done.
你完成了。
If you are concerned about permissions, i suggest you read up on RBAC, Azure Resource Provider Operations (Not to be confused with Azure AD roles), custom role definitions, and role assignments.如果您担心权限,我建议您阅读 RBAC、Azure 资源提供程序操作(不要与 Azure AD 角色混淆)、自定义角色定义和角色分配。
Right now I've prepared something like below:现在我准备了如下的东西:
$uri = <DDNS_NAME>
$resolvedIp = [system.net.dns]::GetHostByName($uri).AddressList.IPAddressToString
Write-Output ("The IP address is: " + $resolvedIp)
$nsg = Get-AzNetworkSecurityGroup -Name <MY_NSG_NAME> -ResourceGroupName <MY_RESGRP_NAME>
$nsg | Get-AzNetworkSecurityRuleConfig -Name <RULE_NAME>
Set-AzNetworkSecurityRuleConfig -Name <RULE_NAME> -NetworkSecurityGroup $nsg -SourceAddressPrefix $resolvedIp
the script executes without errors but the source address in NSG stays not changed.脚本执行没有错误,但 NSG 中的源地址保持不变。 @Marco maybe have you any idea where am I wrong?
@Marco 也许你知道我哪里错了吗? PS: I've already added all needed privileges to using group resources for Automation Account.
PS:我已经添加了使用自动化帐户的组资源所需的所有权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.