使用NSG(ARM)帮助限制子网之间的流量 [英] Help on restrict traffic between subnets using NSG (ARM)
问题描述
你好,
我想部署一个带有1个VNET和3个子网的ARM模板.
我想通过NetworkSecurityGroup限制这些子网之间的网络流量.特别是,从Mgmt子网仅应允许端口80和22上的TCP通信.从后端子网,不应允许任何流量.
这三个子网具有以下地址空间:
-管理:10.0.1.0/24
-后端: 10.0.0.0/24
-应用:10.0.10.0/24
Hello,
I would like to deploy an ARM template with 1 VNET and 3 subnets inside.
I would like to restrict network traffic between these subnets through NetworkSecurityGroup. In particular, from Mgmt subnet only TCP traffic on port 80 and 22 should be allowed. From Backend subnet, no traffic should be allowed.
These 3 subnets have the following address spaces:
- Mgmt: 10.0.1.0/24
- Backend: 10.0.0.0/24
- Apps: 10.0.10.0/24
我创建了具有3条规则的NSG
I've created a NSG with 3 rules
-允许从10.0.1.0/24起的HTTP(80)
- Allow HTTP (80) from 10.0.1.0/24
-从 10.0.1.0/24允许SSH(22)
- Allow SSH (22) from 10.0.1.0/24
-拒绝来自虚拟网络的所有其他流量
- Deny all other traffic from Virtual Network
由于默认规则",由于内置在NSG中,因此已创建了拒绝规则,该规则应阻止所有未明确允许的流量.
问题是从后端子网仍然可以访问Apps子网.
有什么想法吗?
这里是NSG应用于Apps子网.
{
"apiVersion":"2015-05-01-preview",
类型":"Microsoft.Network/networkSecurityGroups",
"名称":"AppsSubnetNSG",
位置":"[[resourceGroup().location]"",
属性":{
"securityRules":[
{
名称":"inboundhttp",
属性":{
" description":入站规则01",
"protocol":"Tcp",
"sourcePortRange":"*",
"destinationPortRange":"80",
"sourceAddressPrefix":"10.0.1.0/24",
"destinationAddressPrefix":"*",
访问":允许",
优先级":200,
方向":入站"
}
},
{
名称":"inboundssh",
属性":{
" description":"inbound ssh 01",
"protocol":"Tcp",
"sourcePortRange":"*",
"destinationPortRange":"22",
"sourceAddressPrefix":"10.0.1.0/24",
"destinationAddressPrefix":"*",
访问":允许",
优先级":204,
方向":入站"
}
},
{
" name":" notcp" ;,
属性":{
" description":"block TCP",
"protocol":"Tcp",
"sourcePortRange":"*",
"destinationPortRange":"*",
"sourceAddressPrefix":"VirtualNetwork",
"destinationAddressPrefix":"*",
访问":拒绝",
优先级":304,
方向":入站"
}
}
]
}
}
Because of "Default Rules" built-in in a NSG, it has been created a deny rule which should block all traffic which is not explicitly allowed.
The issue is that from Backend subnet it's still possibile reach Apps subnet.
Any ideas ?
Here there is the NSG applied to Apps subnet.
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "AppsSubnetNSG",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "inboundhttp",
"properties": {
"description": "inbound rule 01",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 200,
"direction": "inbound"
}
},
{
"name": "inboundssh",
"properties": {
"description": "inbound ssh 01",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 204,
"direction": "inbound"
}
},
{
"name": "notcp",
"properties": {
"description": "block TCP",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 304,
"direction": "Inbound"
}
}
]
}
}
Gmail
推荐答案
您需要为要阻止的子网创建特定于nerner的拒绝规则.
You need to create subnert specific DENY rules for the subnets you want to block.
例如阻止后端子网:
"名称":" ; notcpfrombackend",
属性":{
描述":阻止来自后端子网的TCP",
协议":"Tcp",
"sourcePortRange":"*",
"destinationPortRange":"*",
" sourceAddressPrefix':" ">
" destinationAddressPrefix":"*",
访问":拒绝",
优先级":304,
方向":入站"
}
"name": "notcpfrombackend",
"properties": {
"description": "block TCP from backend subnet",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "10.0.0.0/24",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 304,
"direction": "Inbound"
}
这篇关于使用NSG(ARM)帮助限制子网之间的流量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
