如何检查是否允许 Azure 网络安全组出站 IP? [英] How to check Azure Network Security Group outbound IP Allowed or not?

问题描述

我对 Azure 网络安全组有一些问题.目前我正在使用 Azure App Services 发布我的网站，并在 Azure、App Services、由 NSG 控制的网络端，例如入站和出站安全等.

我正在使用 sagepay 支付网关.他们要求我执行以下步骤以成功集成 sagepay.

<块引用>

请确保允许以下所有IP地址在您的服务器或防火墙内:对于到我们网关的出站流量:195.170.169.9 - live.sagepay.com195.170.169.8 - test.sagepay.com对于入站流量，您只需要将 IP 列入白名单，如果您是我们回调的IP是:195.170.169.14195.170.169.18195.170.169.15Sage Pay 使用的子网掩码是 255.255.255.000请确保您的防火墙允许出站端口 443(HTTPS仅限！)和入站端口 443(以及可选的 80 HTTP)访问为了与我们的服务器通信(在模拟器/测试/现场).

在我的网络组中，

我刚刚将入站规则添加到端口 80,443 并将 IP 列入白名单 - 195.170.169.0/24并对我的出站规则做了同样的事情.

但是我应该如何检查这些东西是否正常工作?因为我的网站仍然无法从 sagepay 方面得到响应(根据 sagepay 支持团队，通知 URL 也是正确的)

解决方案

更新(2020 年 7 月):

现在有一种更优雅的方法，使用应用服务中的内置功能 -

我下面的答案现在已被弃用.

---

这是评论中您后续问题的答案.

<system.webServer><安全><!-- 这行拒绝所有人，除了下面列出的人--><ipSecurity allowUnlisted=假"><!-- 删除所有上游限制--><清除/><!-- 允许此网络--><添加 ipAddress="195.170.169.0";子网掩码=255.255.255.0"；允许=真"/></ipSecurity></安全>...</system.webServer>

预期结果(来自允许网络之外的公共 IP 地址时):

$ curl -i http://{sitename}.azurewebsites.net/HTTP/1.1 403 禁止内容长度:58内容类型:文本/html服务器:Microsoft-IIS/8.0X-Powered-By: ASP.NET日期:2016 年 8 月 6 日星期六 19:46:04 GMT您无权查看此目录或页面.

I have few problems regarding Azure Network Security Group. Currently I'm using Azure App Services to publish my website and in Azure, App Services, Network Side Controlled By NSG such as inbound and outbound security and other things.

I'm working with sagepay payment gateway.they asked me to do following steps in order to success my sagepay integration.

Please ensure that all of the following IP addresses are allowed
within your Server or Firewall:

For outbound traffic to our gateway:

195.170.169.9 – live.sagepay.com
195.170.169.8 – test.sagepay.com

For inbound traffic you only need to whitelist IPs if you are
The IPs from which we call back are:

195.170.169.14
195.170.169.18
195.170.169.15

The Subnet mask used by Sage Pay is 255.255.255.000

Please ensure that your firewalls allow outbound Port 443 (HTTPS
only!) and inbound Ports 443 (and optionally 80 HTTP) access in
order to communicate with our servers (on Simulator/Test/Live).

In my Network Group,

I just added Inbound rule to port 80,443 and whitelist IPs - 195.170.169.0/24 and did same thing to my outbound rule also.

but how do i suppoed to check these things are working or not? because still my web site cannot get respond from sagepay side(notification URL is also correct according to sagepay support team)

解决方案

UPDATE (July 2020):

There's now a more elegant approach, use the built-in feature in App Service - https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-access-restriction-rules-in-the-portal

My answer below is now deprecated.

---

Here's the answer for your follow up question in the comments.

<system.webServer>
    <security>
       <!-- this line denies everybody, except those listed below -->            
       <ipSecurity allowUnlisted="false">
           <!-- remove all upstream restrictions -->    
           <clear/>
           <!-- allow this network -->          
           <add ipAddress="195.170.169.0" subnetMask="255.255.255.0" allowed="true" />
       </ipSecurity>
    </security>
...
</system.webServer>

Expected result (when coming from a public IP address outside the allowed network):

$ curl -i http://{sitename}.azurewebsites.net/

HTTP/1.1 403 Forbidden
Content-Length: 58
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sat, 06 Aug 2016 19:46:04 GMT

You do not have permission to view this directory or page.

这篇关于如何检查是否允许 Azure 网络安全组出站 IP?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！