简体繁体 English

Azure 防火墙架构

[英]Azure Firewall Arquitecture

原文 2022-07-27 14:52:52 0 1 azure/ firewall/ azure-nsg

I have a project where i need to deploy an Azure firewall so there are some questions of better practice that i need to resolve before.我有一个项目，我需要部署一个 Azure 防火墙，所以我之前需要解决一些更好的实践问题。

Is it correct that App Gateway or Api Magament Service be inside a NSG? App Gateway 或 Api Magament Service 在 NSG 中是否正确？ would this cause any issue?这会引起任何问题吗？
App Gateway and Api magment are exposed services. App Gateway 和 Api magment 是公开的服务。 Those services need to be out of AZ FW scope?这些服务需要在AZ FW scope之外吗？ (asymmetric routing problem) （非对称路由问题）

If如果

I hope you could help me.我希望你能帮助我。 Regards.问候。

1 个解决方案

Is it correct that App Gateway or Api Magament Service be inside a NSG? App Gateway 或 Api Magament Service 在 NSG 中是否正确？ would this cause any issue?这会引起任何问题吗？

You can use application gateway or Api management service to be inside Network security groups (NSGs) are supported.您可以使用应用程序网关或 Api 管理服务来支持网络安全组 (NSG)。 For the Application Gateway v1 SKU, you should allow incoming Internet traffic on TCP ports 65503-65534 , and for the v2 SKU, you can allow incoming Internet traffic on TCP ports 65200-65535, with the source subnet set to Gateway Manager and the destination subnet set to Any.对于应用程序网关 v1 SKU，您应该允许 TCP 端口 65503-65534 上的传入 Internet 流量，对于 v2 SKU，您可以允许 TCP 端口 65200-65535和目标网关管理器上的传入 Internet 流量子网设置为任何。

Azure certificates are used to secure these ports . Azure 证书用于保护这些端口。 These endpoints are not able to communicate with external parties, including the gateways' users.这些端点无法与包括网关用户在内的外部各方进行通信。

The NSG's default outbound policies permit Internet connectivity. NSG 的默认出站策略允许 Internet 连接。 I would suggest我会建议

Keep the outbound default rules in place don't remove保留出站默认规则，不要删除
Do not add any further outbound rules that prohibit any outbound connectivity.不要添加任何禁止任何出站连接的进一步出站规则。

Behind the NSG could be API management services. NSG 背后可能是 API 管理服务。 When a user wants to restrict or allow some ports, NSG can raise an action after pulling that specific resources address from the public internet.当用户想要限制或允许某些端口时，NSG 可以在从公共 Internet 中提取该特定资源地址后引发操作。 if you're using large scale of hardware network virtual services firewall can be used.如果你使用大规模的硬件网络虚拟服务防火墙可以使用。

In another way in your scenario you can remove NSG and deploy application gateway behind the firewall through application gateway then you can distribute the traffic through API management services accordingly.在您的场景中以另一种方式，您可以删除 NSG 并通过应用程序网关在防火墙后面部署应用程序网关，然后您可以相应地通过 API 管理服务分配流量。

App Gateway and Api management are exposed services. App Gateway 和 Api 管理是公开的服务。 Those services need to be out of AZ FW scope?这些服务需要在AZ FW scope之外吗？ (asymmetric routing problem) （非对称路由问题）

Yes, App Gateway and Api management are exposed services.是的，App Gateway 和 Api 管理是公开服务。 But these services also protected accordingly please check this Protect APIs with Azure Application Gateway and Azure API Management - and also see Azure Firewall But these services also protected accordingly please check this Protect APIs with Azure Application Gateway and Azure API Management - and also see Azure Firewall