Azure NSG rules for traffic from an Azure Cloud Service

Question

I have an Azure cloud service and a Azure Kubernetes Service(AKS). AKS is within a NSG. I would like to create rules in network security group(NSG) to restrict inbound traffic from only the specific cloud service.

Since cloud service IP could change, I would not be able to base the NSG rules on IP. Also, I do not see cloud service in the azure service tags list in NSG.

How do I achieve this NSG rules configuration ?

Can you elaborate your comment please. Which internal network? — Tany, Aug 29 '18 at 03:14
sorry, you are not making any sense to me. You got to elaborate here please. — Tany, Aug 29 '18 at 08:34
aks is created in a vnet, cloud service as well. peer the vnets and use internal traffic — 4c74356b41, Aug 29 '18 at 08:39

Nancy · Accepted Answer · 2018-08-31T02:16:00.933

1

It seems that you want to restrict inbound traffic from only the specific cloud service to AKS. Conversely, you can add inbound rules to allow the traffic that you want to access to AKS, Then the traffic you have not added the allowing rule will be denied since there is a DenyAllInBound inbound rule in each NSG. The traffic filters according to the priority. (High priority is small value) in the inbound rule.

Update

If you only allow one specific cloud service in the inbound traffic, you just set the source to the specific IP address in the inbound rule of yours NSG. The assigned IP address for the cloud service doesn't change unless you stop and restart provision of the service. If you ensure to know the fixed IP address in your subscription even if you deprovision and reprovision, you can use a Reserved IP address for Cloud Services. Ref: Static IP for Cloud Service on Azure

Reserved IP addresses (Classic)

edited Aug 31 '18 at 02:16

answered Aug 30 '18 at 10:19

Nancy

26,865
3
18
34

My question was specific to how would I add my cloud service to these NSG rules ? Is IP of the cloud service the only way ? – Tany Aug 30 '18 at 10:49
The source in inbound rule can be any, ip address, service tag, application security group, refer to [this](https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules). May I know what is your specific could service you want to restrict? If you just want to deny that cloud service, you can allow the other services then the specific cloud service will be denied by the last rule. – Nancy Aug 30 '18 at 13:50
I want to allow only a cloud service and deny all other traffic inbound to the NSG. – Tany Aug 30 '18 at 19:36
I misunderstood you before, you can do that, please check my update. – Nancy Aug 31 '18 at 02:16

Azure NSG rules for traffic from an Azure Cloud Service

1 Answers1

Update