堆栈内存溢出
  简体   繁体   English

Azure VNet:NSG 和 UDR 的“评估顺序”

[英]Azure VNets: "Evaluation Order" of NSGs and UDRs

 原文  2022-03-29 09:11:31       azure-virtual-network

问题描述

We're building a Hub & Spoke.network in Azure with NSGs at the spoke.network's su.nets.我们正在 Azure 中构建一个 Hub & Spoke.network,在 spoke.network 的 su.net 中使用 NSG。 Now we'd like to allow a workload in one of the spokes to make outbound connections to a destination on the inte.net (TCP, 443).现在我们希望允许其中一个分支中的工作负载与 inte.net 上的目的地建立出站连接(TCP,443)。 The traffic shall be sent though an NVA in the hub.network.流量应通过 hub.network 中的 NVA 发送。

The UDR of the spoke's su.net is configured like this: spoke 的 su.net 的 UDR 配置如下:

Address Prefix: 0.0.0.0/0, Next Hop Type: Virtual Appliance, Next Hop: <IP of Firewall>

How do we need to configure the NSG's outbound rules in this particular scenario?在这种特殊情况下,我们需要如何配置 NSG 的出站规则?

a) Allow, Source: Virtual Network, Destination: Virtual Network a) Allow, Source: Virtual Network, Destination: Virtual Network

b) Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall> b) Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>

c) Allow, Source: Virtual Network, Destination: Any c) Allow, Source: Virtual Network, Destination: Any

IMO a) and b) would mean, that the UDR is "evaluated" first, while option c) would mean, that the NSG is applied before the routing takes place. IMO a) 和 b) 意味着首先“评估”UDR,而选项 c) 意味着在路由发生之前应用 NSG。

I very much appreciate you're help and/or links to some documentation on this topic I wasn't able to find so far.非常感谢您提供帮助和/或链接到我目前无法找到的有关该主题的一些文档。

1 个解决方案

解决方案1
 1  2022-04-01 19:16:42

• According to what you have asked with regards to the priority of consideration by Azure Network Resource Management fabric and its design by default, the first priority will be given to the UDR (User Defined Rule) in which the source and destination IP addresses are correctly defined between the virtual.networks even if a.network virtual appliance is used for forwarding the traffic in between them because when a virtual.network is created, Azure automatically routes for every su.net defined during its creation. • 根据您询问的关于Azure 网络资源管理架构的考虑优先级及其默认设计,第一优先级将给予源和目标IP 地址正确的UDR(用户定义规则)在 virtual.networks之间定义,即使 a.network 虚拟设备用于转发它们之间的流量,因为在创建 virtual.network 时,Azure 会自动为在其创建期间定义的每个 su.net 路由。 Thus, when routes are created, the first and priority routes are created and implemented for address ranges that are defined address spaces within the same virtual.network, hence implying that by design, the default evaluation priority is given to those UDR if their priority is not set by the user whose source and destination reachable valid IP addresses are correctly defined .因此,当创建路由时,会为同一 virtual.network 中定义的地址空间的地址范围创建和实施第一条路由和优先路由,因此这意味着根据设计,如果这些 UDR 的优先级是不是由其源和目标可达的有效 IP 地址已正确定义的用户设置 Please refer to the below workflow diagram for good understanding: -请参考下面的工作流程图以便更好地理解:-

UDR 工作流程

• Thus, as per your post, you have asked the evaluation priority for the below UDRs: - • 因此,根据您的帖子,您已询问以下 UDR 的评估优先级:-

  a)    Allow, Source: Virtual Network, Destination: Virtual Network

  b)    Allow, Source: Virtual Network, Destination: IP Addresses, Destination IP: <IP of Firewall>

  c)    Allow, Source: Virtual Network, Destination: Any

Of the above, the second (b) formatted UDR will be evaluated as 'first' in priority, then the first UDR (a) in priority and then the **third (c)**UDR as it is defined for any IP address originating from the virtual.network without any defined destination.其中,第二个 (b)格式的 UDR 将被优先评估为“第一” ,然后是第一个 UDR (a)优先,然后是**第三个 (c)**UDR,因为它是为任何 IP 地址定义的源自 virtual.network,没有任何定义的目的地。

• Hence, accordingly, you should go with creating the UDRs in the second (b) format as it will get by default prioritized and 'evaluated' correctly by Azure. For more information regarding this topic, kindly refer to the documentation link below: - • 因此,相应地,您应该 go 以第二种 (b) 格式创建 UDR,因为默认情况下它会被 Azure 正确“评估” 。有关此主题的更多信息,请参阅下面的文档链接:-

https://learn.microsoft.com/en-us/azure/virtual.network/virtual.networks-udr-overview#default https://learn.microsoft.com/en-us/azure/virtual.network/virtual.networks-udr-overview#default

http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure 应用程序服务和 SQL 服务器应该在不同的 VNet 中吗? - Should Azure app service and SQL Server be in different VNets? Azure 策略 - 拒绝 .net 中没有特定标记的新网络接口 - Azure Policy - Deny New Network interfaces in vnets that doesn't have an specific tag Azure 数据工厂管道中的错误执行顺序 - Wrong execution order in Azure Data Factory Pipeline Terraform 变量的插值和评估 - Terraform variable inteporlation and evaluation FirebaseError browserErrorMessage:“无法注册 ServiceWorker:ServiceWorker 脚本评估失败” - FirebaseError browserErrorMessage: "Failed to register a ServiceWorker: ServiceWorker script evaluation failed" Azure AKS 容器内日志到 Azure 日志/Azure Sentinel - Azure AKS in-container logs to Azure Logs/Azure Sentinel Azure Bicep - 将 Azure API 管理 (API) 连接到 Azure Function App - Azure Bicep - Connect Azure API Management (API) to Azure Function App firebase文件如何订购? - How to order the documents of firebase? Firestore 排序依据和限制 - Firestore order by and limit flutter firebase 按条件订购 - flutter firebase order by in a condition
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM