-1

Please can someone advise how to restrict access on port 80/443 to some Azure VMs, so that they can only be access via the public IP Address that is associated to an Azure Load Balancer.

Our current setup has load balancing rules passing through traffic from public IP on 80=>80 and 443=>443, to back end pool of 2 VMs. We have health probe setup on port 80. Session persistence is set to client IP and floating IP is disabled.

I thought the answer was to deny access (via Network Security Group) to internet (service tag) on 80/443. Then add rule to allow service tag (AzureLoadBalancer) on the same ports. But that didnt seem to have an effect. Having read up a little more on this, it seems the AzureLoadBalancer tag is only to allow the health probe access and not specifically inbound traffic from that load balancer.

I have also tried adding rules to allow the public IP address of the load balancer, but again no effect.

I was wondering if I need to start looking into Azure Firewalls? and somehow restrict access to inbound traffic that comes through that?

The only way I can get the VMs to respond on those ports is to add rules to allowing 80/443 from any to any....

Dean O'Brien
  • 335
  • 2
  • 11
  • Check if this helps : https://social.msdn.microsoft.com/Forums/azure/en-US/e064ee13-10f0-4748-a729-8b2e918df9a9/azure-loadbalancer-not-working-with-vms-nsg-inbound-rule-with-azureloadbalancer-tag – RamaraoAdapa Nov 22 '21 at 07:04

1 Answers1

3

After reading your question, my understanding is that you have a Public load balancer and the backend VMs also have instance level Public IPs associated with them and hence direct inbound access to the VMs is possible. But you would like to make sure that the direct inbound access to VMs is restricted only via the load balancer.

The simple solution for you to achieve this is by disassociating the instance level public IP of the VMs, this will make the LB public IP as the only point of contact for your VMs. Keep in mind that the LB is not a proxy, it is just a layer 4 resource to forward traffic, therefore, your backend VM will still see source IP of the clients and not the LB IP, hence, you will still need to allow the traffic at the NSGs level using as source "Any".

However, if your requirement is to enable outbound connectivity from Azure VMs while avoiding SNAT exhaustion, I would advise you to create NAT Gateway, where you can assign multiple Public IP address for SNAT and remove the Public IP from the VM. This setup will make sure that the inbound access is provided by the Public load balancer only and the outbound access is provided by the NAT gateway as shown below: enter image description here

Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-standard-public-load-balancer

https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/tutorial-nat-gateway-load-balancer-public-portal

You could also configure port forwarding in Azure Load Balancer for the RDP/SSH connections to individual instances. Refer : https://learn.microsoft.com/en-us/azure/load-balancer/manage#-add-an-inbound-nat-rule

https://learn.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal

Gitarani Sharma
  • 735
  • 3
  • 4
  • Hi gitaranisharma, many thanks for taking the time to provide an answer. Sounds like I was over thinking it and missed what seems like a simple solution! With regards outbound connections, the VM's do need to connect to SQL and also other web services, however we haven't had any issues with snat exhaustion as of yet, so hopefully should be good on that regard (unless your suggestion might effect this?) I will try out your suggestion when back in the office on Monday and confirm your answer as correct then. Many thanks Dean – Dean O'Brien Dec 03 '21 at 14:55
  • Thank you for the update. Yes, the solution is simple. Just dis-associate the instance level Public IPs from the VMs and use NAT gateway for the VM's outbound connections. With NAT, individual VMs do not need public IP addresses and can remain fully private. NAT gateway can be assigned up to 16 public IP addresses, with each IP having 64,000 available ports and it provides on-demand SNAT ports for new outbound traffic flows. So you do not need to worry about SNAT port exhaustion. Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#on-demand – Gitarani Sharma Dec 08 '21 at 21:12