将 NSG 添加到应用程序网关子网
Add NSG to Application Gateway Subnet
我的要求很简单。我需要将 NSG 关联到包含我的应用程序网关的子网。
我将 NSG 关联到此子网后,立即收到连接超时错误。
根据 Microsoft 的文档,我为端口范围 65503-65534 添加了例外。
来自https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq
Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
我错过了什么吗?任何帮助将不胜感激。
这是一个适用于我的示例 nsg 应用程序网关排除规则:
{
"apiVersion": "2017-06-01",
"name": "NameGoesHere",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"location": "[resourceGroup().location]",
"properties": {
"description": "This rule is needed for application gateway probes to work",
"protocol": "*",
"destinationAddressPrefix": "*",
"sourcePortRange": "*",
"destinationPortRange": "65503-65534",
"sourceAddressPrefix": "*",
"access": "Allow",
"priority": "literally any priority",
"direction": "Inbound"
}
}
尝试将具有此规则的 nsg 添加到应用程序网关子网,它将起作用。另外,请确保您没有使用 NSG 明确阻止从应用程序网关到后端的访问。
要将 NSG 关联到包含应用程序网关的子网,允许来自
的流量
- 来自源:'GatewayManager',端口:任意到目标:'GatewayManager' 服务标签,目标端口:65503-65534
- 必须允许来自目标子网为 Any 的 AzureLoadBalancer 标记的流量。
此外,
- 无法阻止出站 Internet 连接
我的要求很简单。我需要将 NSG 关联到包含我的应用程序网关的子网。
我将 NSG 关联到此子网后,立即收到连接超时错误。
根据 Microsoft 的文档,我为端口范围 65503-65534 添加了例外。
来自https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq
Network Security Groups (NSGs) are supported on the application gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2 SKU. This port-range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
我错过了什么吗?任何帮助将不胜感激。
这是一个适用于我的示例 nsg 应用程序网关排除规则:
{
"apiVersion": "2017-06-01",
"name": "NameGoesHere",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"location": "[resourceGroup().location]",
"properties": {
"description": "This rule is needed for application gateway probes to work",
"protocol": "*",
"destinationAddressPrefix": "*",
"sourcePortRange": "*",
"destinationPortRange": "65503-65534",
"sourceAddressPrefix": "*",
"access": "Allow",
"priority": "literally any priority",
"direction": "Inbound"
}
}
尝试将具有此规则的 nsg 添加到应用程序网关子网,它将起作用。另外,请确保您没有使用 NSG 明确阻止从应用程序网关到后端的访问。
要将 NSG 关联到包含应用程序网关的子网,允许来自
的流量- 来自源:'GatewayManager',端口:任意到目标:'GatewayManager' 服务标签,目标端口:65503-65534
- 必须允许来自目标子网为 Any 的 AzureLoadBalancer 标记的流量。
此外,
- 无法阻止出站 Internet 连接