如何仅通过负载均衡器允许HTTP流量到VM,并通过VM公共IP拒绝它? [英] How to allow HTTP(s) traffic to a VM only through a Load Balancer and deny it through the VM's public IP?
问题描述
我有一个Load Balancer,后端池有2个VM。每个VM都有自己的网络接口,具有公共和私有IP地址。我有一个网络安全组设置为基本防火墙,拒绝任何不会移植HTTP或DevOps端口的东西。
I have a Load Balancer with a backend pool of 2 VMs. Each VM has its own Network Interface with a public and a private IP address. I have a Network Security Group set up as a basic firewall, denying anything that's not going to port HTTP(s) or DevOps ports.
当前的NSG允许来自任何端口的入站流量到这些端口来源IP。我想只允许流量通过LB的VM。但是,如果否认LB的源IP以外的所有内容,我从未收到请求。从文档中我知道这是因为所应用的源端口和地址范围来自原始计算机,而不是负载均衡器。
The current NSG allows inbound traffic to these ports from any source IP. I would like to only allow traffic to the VMs that goes through the LB first. However, if deny everything but the LB's source IP, I never get a request. From the documentation, I learnt this is intended because the source port and address range applied are from the originating computer, not the load balancer.
在Azure中是否有办法屏蔽虚拟机免受公共HTTP流量的影响,但是如果它首先命中LB则允许它?
Is there a way in Azure to shield the VMs from public HTTP traffic, but allow it if it hits the LB first?
推荐答案
嗨Derence,
Hi Derence,
Azure负载均衡器不是部署,它是我们基础架构的一部分。当您在负载均衡器后面的VM上捕获数据包时,仍然可以将源IP地址视为您的客户端IP,将目标IP地址视为VM的私有
IP。
Azure Load balancer is not a deployment, it is a part of our Infrastructure. When you take a packet capture at the VM which is behind the Load balancer, you can still see the source IP address as your Client IP and the destination IP address as the private IP of your VM.
在您的方案中,您可以删除VM的公共IP地址,并仅使用负载均衡器的IP来访问该站点。由于LB不是部署,您将无法将NSG添加到LB.您可以通过将NSG添加到
VM的NIC /子网来保护您的VM。
In your scenario, you can remove the Public IP address of your VM and only use Load balancer's IP to access the site. And since LB is not a deployment you will not be able to add NSG to the LB. You can secure your VM by adding NSG to the NIC /subnet of the VM.
----------------- -------------------------------------------------- ----------------------------------------
如果您发现此帖子有帮助,请给它一个"有用的"投票。
如果答案有帮助,请记得将答案标记为答案。
< cite style =" margin:0in ; font-family:Calibri; font-size:9.0pt;颜色:#595959;"> < / cite>
<cite style="margin:0in;font-family:Calibri;font-size:9.0pt;color:#595959;"> </cite>
问候,
msrini
这篇关于如何仅通过负载均衡器允许HTTP流量到VM,并通过VM公共IP拒绝它?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
