无法使用 NSG 配置 Azure App Gateway V2
Azure App Gateway V2 cannot be configured with NSG
我已经使用 WAF V2 SKU 配置了 App Gateway。然后,我将后端池配置为指向 WebApp,并添加了 IP 限制以仅允许来自 WAF IP 的流量。然后,我尝试将 NSG 添加到配置的子网以进一步限制到前端 IP 地址的流量。我收到一个错误(见下文)。根据 Application Gateway FAQ 这应该是可能的,但遇到了麻烦。以下是部署错误的详细信息:
Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
错误消息显示您需要将端口 65200 - 65535 上的传入互联网流量添加到网络安全组-BannerCIDRNsg 中的子网默认值。
根据 Application Gateway FAQ,您可以将对一些源 IP 的应用程序网关访问列入白名单。
可以在应用程序网关子网上使用 NSG 来完成此方案。应按照列出的优先顺序对子网施加以下限制:
Allow incoming traffic from source IP/IP range.
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and
inbound virtual network traffic (VirtualNetwork tag) on the NSG.
Block all other incoming traffic with a Deny all rule.
Allow outbound traffic to the internet for all destinations.
在尝试将包含网关 V2 WAF 的子网关联到现有 NSG 时,我收到错误消息“子网关联到具有 v2 sku 的网关”。
奇怪的是,导航到 VNET -> 子网并在单击给定子网后将 NSG 关联到该子网没有问题。
要将 NSG 关联到包含应用程序网关的子网,允许来自
的流量
- 源:'GatewayManager',端口:任意到目标:'GatewayManager' 服务标签,目标端口:65503-65534
- 必须允许来自目标子网为 Any 的 AzureLoadBalancer 标记的流量。
注意:请注意不要在这些入站规则之前添加 deny 规则,因此请将它们设置为低优先级 no,以避免意外配置错误
此外,
- 无法阻止出站 Internet 连接
我想补充一下@Nancy 的, that actually, as per the documentation,不需要允许来自Any 协议的流量。允许 TCP 流量就足够了。
也不需要允许来自 Any 来源的流量,允许来自 GatewayManager 服务标签的流量就足够了。
You must allow incoming Internet traffic on TCP ports 65503-65534 for
the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2
SKU with the destination subnet as Any and source as GatewayManager
service tag. This port range is required for Azure infrastructure
communication.
因此,我创建了如下安全规则:
还需要注意的是:
These ports are protected (locked down) by Azure
certificates. External entities, including the customers of those
gateways, can't communicate on these endpoints.
我已经使用 WAF V2 SKU 配置了 App Gateway。然后,我将后端池配置为指向 WebApp,并添加了 IP 限制以仅允许来自 WAF IP 的流量。然后,我尝试将 NSG 添加到配置的子网以进一步限制到前端 IP 地址的流量。我收到一个错误(见下文)。根据 Application Gateway FAQ 这应该是可能的,但遇到了麻烦。以下是部署错误的详细信息:
Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
错误消息显示您需要将端口 65200 - 65535 上的传入互联网流量添加到网络安全组-BannerCIDRNsg 中的子网默认值。
根据 Application Gateway FAQ,您可以将对一些源 IP 的应用程序网关访问列入白名单。
可以在应用程序网关子网上使用 NSG 来完成此方案。应按照列出的优先顺序对子网施加以下限制:
Allow incoming traffic from source IP/IP range.
Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the NSG.
Block all other incoming traffic with a Deny all rule.
Allow outbound traffic to the internet for all destinations.
在尝试将包含网关 V2 WAF 的子网关联到现有 NSG 时,我收到错误消息“子网关联到具有 v2 sku 的网关”。
奇怪的是,导航到 VNET -> 子网并在单击给定子网后将 NSG 关联到该子网没有问题。
要将 NSG 关联到包含应用程序网关的子网,允许来自
的流量- 源:'GatewayManager',端口:任意到目标:'GatewayManager' 服务标签,目标端口:65503-65534
- 必须允许来自目标子网为 Any 的 AzureLoadBalancer 标记的流量。 注意:请注意不要在这些入站规则之前添加 deny 规则,因此请将它们设置为低优先级 no,以避免意外配置错误
此外,
- 无法阻止出站 Internet 连接
我想补充一下@Nancy 的Any 协议的流量。允许 TCP 流量就足够了。
也不需要允许来自 Any 来源的流量,允许来自 GatewayManager 服务标签的流量就足够了。
You must allow incoming Internet traffic on TCP ports 65503-65534 for the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any and source as GatewayManager service tag. This port range is required for Azure infrastructure communication.
因此,我创建了如下安全规则:
还需要注意的是:
These ports are protected (locked down) by Azure certificates. External entities, including the customers of those gateways, can't communicate on these endpoints.