堆栈内存溢出
  简体   繁体   English

是否可以严格在网络级别限制前端和后端Azure IaaS VM之间的入口和出口流量?

[英]Is it possible to restrict ingress and egress traffic between front end and back end Azure IaaS VMs strictly at the network level?

 原文  2013-01-04 16:03:08       security/ networking/ azure/ dmz

问题描述

I would like to create an extra-paranoid hub-and-spoke DMZ setup on Azure using IaaS VMs . 我想使用IaaS VM在Azure上创建一个偏执的中心辐射型DMZ安装程序。

I have an public internet facing front end server (ie an IIS web server) that I'd like to severely lockdown. 我有一个面向公共互联网的前端服务器(即IIS Web服务器),我想对其进行严格锁定。 However, the front end requires access to some back end servers (ie a database, a domain controller, etc.). 但是,前端需要访问某些后端服务器(即数据库,域控制器等)。 I want to ensure: 我要确保:

  1. Only the front end server can talk to the back end servers, and only on agreed upon ports. 只有前端服务器才能与后端服务器通信,并且只能在商定的端口上进行通信。
  2. The back end servers cannot receive or send traffic from/to the public internet. 后端服务器无法从公共Internet接收向其发送流量。
  3. The back end servers cannot talk to each other. 后端服务器无法相互通信。
  4. These rules are enforced beyond the VM operating system layer to provide defense in depth. 这些规则在VM操作系统层之外执行,以提供深度防御。

This seems like a reasonable scenario, but I can't seem to achieve it on Azure. 这似乎是一个合理的方案,但是我似乎无法在Azure上实现它。 The closest I've been able to do is: 我最能做的是:

  • Create an IaaS VM front end and restrict its endpoints appropriately 创建IaaS VM前端并适当限制其端点
  • Create an Azure Virtual Network with a "FrontEnd" and "BackEnd" subnets placing each machine on the appropriate subnets. 创建具有“ FrontEnd”和“ BackEnd”子网的Azure虚拟网络 ,将每台计算机放置在适当的子网中。
  • Prevent RDP access to the back end VMs. 防止RDP访问后端VM。 If I want to RDP to the backend machines, I must do it through the front end VM. 如果要RDP到后端计算机,则必须通过前端VM进行。
  • Setup Windows Firewall rules on each of these machines to enforce these hub-and-spoke style of rules. 在这些计算机中的每台计算机上设置Windows防火墙规则,以强制实施这些轮辐式规则。

This works ok but it's not as locked down as I'd like. 这行得通,但没有像我所希望的那样被锁定。 I really want to have defense-in-depth so that I don't have to rely on Windows/Linux firewall settings on each machine. 我真的很想深入防御,这样我就不必依赖每台计算机上的Windows / Linux防火墙设置。 For example, let's say that a back end server must run an application with administrator credentials (assume there are no alternatives to this). 例如,假设后端服务器必须使用管理员凭据来运行应用程序(假定没有替代方法)。 I want an extra layer of protection such that a bug (or a malicious query) on the back end server could not: 我想要一个额外的保护层,以使后端服务器上的错误(或恶意查询)不能:

  • Reconfigure the back end's firewall to be less restrictive. 重新配置后端防火墙以减少限制。
  • Talk to anyone else but the front end machine (this includes the public internet). 与除前端机器(包括公共互联网)以外的任何人交谈。

As far as I can tell, this isn't possible on Azure using the Virtual Networking because: 据我所知,这在使用虚拟网络的Azure上是不可能的,因为:

  • Azure Virtual Networks don't seem to expose ACLs or any other advanced filtering support. Azure虚拟网络似乎没有公开ACL或任何其他高级筛选支持。
  • Azure IaaS VMs only support a single NIC and thus the front end can't be multihomed on both a front end and back end subnet. Azure IaaS VM仅支持单个NIC,因此前端不能同时在前端和后端子网上进行多宿主。

Am I missing something? 我想念什么吗? It seems like I might be able to hack something together using multiple virtual networks and VPN them together as a bunch of /30 subnets but that seems quite awful. 似乎我可以使用多个虚拟网络将某些东西一起黑客入侵,并将它们作为一堆/ 30子网一起VPN在一起,但这似乎很糟糕。 If I can't figure this out on Azure it seems my only reasonable alternative is to try to setup something like this on AWS using Virtual Private Cloud (VPC) . 如果我无法在Azure上弄清楚这一点,看来我唯一合理的选择是尝试使用虚拟私有云(VPC)AWS上进行类似设置。 Any help/guidance would be appreciated. 任何帮助/指导将不胜感激。

2 个解决方案

解决方案1
 1  2015-12-02 12:25:26

As of Nov 2015 it's now possible to deliver what you're asking for, albeit in IaaS v2. 自2015年11月起,尽管已提供IaaS v2,但现在仍可以提供您所要求的内容。

Firewall-like rules, limited to address ranges, ports and protocols can be delivered via Network Security Groups (NSGs). 可以通过网络安全组(NSG)传递类似于防火墙的规则,但仅限于地址范围,端口和协议。 This is documented quite well on Microsoft's site: What is a Network Security Group (NSG)? 这在Microsoft网站上有很好的记录: 什么是网络安全组(NSG)?

You can now also create VMs with multiple NICs (again, IaaS v2) however be aware that you may be required to increase your VM size in order to add more than one. 现在,您还可以创建具有多个NIC的VM(同样是IaaS v2),但是请注意,可能需要增加VM的大小才能添加多个。 Again, there's a reasonable article explaining it in detail here: Create a VM with multiple NICs 同样,这里有一篇合理的文章详细解释了它: 创建具有多个NIC的VM

解决方案2
 0 已采纳  2013-01-14 17:36:09

I received a private answer from the Azure team that effectively said that this is not currently possible. 我从Azure团队收到了一个私人答复,该答复有效地表明当前不可能做到这一点。 It's a requested feature but there is no set timeline for its implementation. 这是一项要求提供的功能,但没有设定实施时间表。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 MS Access用户和组权限-不传播更改-多个用户MDE前端-网络后端 - MS Access User And Group Permissions - Changes Not Propagating - Multiple Users MDE Front End - Network Back End 后台和前端分离 - Back office and front end separation 确保前端和后端之间通信的最佳方式 - Best way to secure the communication between front-end and back-end 正确连接前端和后端的正确方法? - Correct way to connect front end to back end securely? 限制前端开发者的 git/code 访问 - Restrict git / code access to front-end developer K8s.network 策略仅限制一个端点的出口 - K8s network policy restrict egress for one endpoint only 使用 MD5 从前端安全地向后端发送密码 - Sending password safely from the front-end to the back-end using MD5 保护javascript前端/ REST后端架构网站的最佳方法? - Best way to secure javascript front end/REST back end architecture web site? 为多个前端域设置安全的后端NodeJS服务器 - Setting up a secure back-end NodeJS server for multiple front-end domains 如果前端调用API时显示IPv4公网IP,请问这个后端是否存在安全问题? - If the IPv4 public IP is displayed when the API is called on the front end, are there any security issues with this back end?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM