[英]Is it possible to restrict ingress and egress traffic between front end and back end Azure IaaS VMs strictly at the network level?
I would like to create an extra-paranoid hub-and-spoke DMZ setup on Azure using IaaS VMs . 我想使用IaaS VM在Azure上创建一个偏执的中心辐射型DMZ安装程序。
I have an public internet facing front end server (ie an IIS web server) that I'd like to severely lockdown. 我有一个面向公共互联网的前端服务器(即IIS Web服务器),我想对其进行严格锁定。 However, the front end requires access to some back end servers (ie a database, a domain controller, etc.).
但是,前端需要访问某些后端服务器(即数据库,域控制器等)。 I want to ensure:
我要确保:
This seems like a reasonable scenario, but I can't seem to achieve it on Azure. 这似乎是一个合理的方案,但是我似乎无法在Azure上实现它。 The closest I've been able to do is:
我最能做的是:
This works ok but it's not as locked down as I'd like. 这行得通,但没有像我所希望的那样被锁定。 I really want to have defense-in-depth so that I don't have to rely on Windows/Linux firewall settings on each machine.
我真的很想深入防御,这样我就不必依赖每台计算机上的Windows / Linux防火墙设置。 For example, let's say that a back end server must run an application with administrator credentials (assume there are no alternatives to this).
例如,假设后端服务器必须使用管理员凭据来运行应用程序(假定没有替代方法)。 I want an extra layer of protection such that a bug (or a malicious query) on the back end server could not:
我想要一个额外的保护层,以使后端服务器上的错误(或恶意查询)不能:
As far as I can tell, this isn't possible on Azure using the Virtual Networking because: 据我所知,这在使用虚拟网络的Azure上是不可能的,因为:
Am I missing something? 我想念什么吗? It seems like I might be able to hack something together using multiple virtual networks and VPN them together as a bunch of /30 subnets but that seems quite awful.
似乎我可以使用多个虚拟网络将某些东西一起黑客入侵,并将它们作为一堆/ 30子网一起VPN在一起,但这似乎很糟糕。 If I can't figure this out on Azure it seems my only reasonable alternative is to try to setup something like this on AWS using Virtual Private Cloud (VPC) .
如果我无法在Azure上弄清楚这一点,看来我唯一合理的选择是尝试使用虚拟私有云(VPC)在AWS上进行类似设置。 Any help/guidance would be appreciated.
任何帮助/指导将不胜感激。
As of Nov 2015 it's now possible to deliver what you're asking for, albeit in IaaS v2. 自2015年11月起,尽管已提供IaaS v2,但现在仍可以提供您所要求的内容。
Firewall-like rules, limited to address ranges, ports and protocols can be delivered via Network Security Groups (NSGs). 可以通过网络安全组(NSG)传递类似于防火墙的规则,但仅限于地址范围,端口和协议。 This is documented quite well on Microsoft's site: What is a Network Security Group (NSG)?
这在Microsoft网站上有很好的记录: 什么是网络安全组(NSG)?
You can now also create VMs with multiple NICs (again, IaaS v2) however be aware that you may be required to increase your VM size in order to add more than one. 现在,您还可以创建具有多个NIC的VM(同样是IaaS v2),但是请注意,可能需要增加VM的大小才能添加多个。 Again, there's a reasonable article explaining it in detail here: Create a VM with multiple NICs
同样,这里有一篇合理的文章详细解释了它: 创建具有多个NIC的VM
I received a private answer from the Azure team that effectively said that this is not currently possible. 我从Azure团队收到了一个私人答复,该答复有效地表明当前不可能做到这一点。 It's a requested feature but there is no set timeline for its implementation.
这是一项要求提供的功能,但没有设定实施时间表。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.