NSGs for Azure APIM with VNET

Chiyo OdikaAZURELeave a Comment

I’m doing some work on deploying Azure API Management inside a VNET in order to access backend services and had to enumerate a list of Network Security Group (NSG) rules to allow inbound and outbound traffic into the subnet in which API Management is deployed. Posting the JSON here so for easy reference. Still testing this out, so let me know if I missed any ports. Cheers!

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "nsgname": {
            "type": "String",
            "metadata": {
            "description": "NSG Name"
         }
        },
        "location": {
            "type": "string",
            "defaultValue":"[resourceGroup().location]",
            "metadata": {
                "description": "location value for all defined resources"
       }
    } 
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-11-01",
            "name": "[parameters('nsgname')]",
            "location": "[parameters('location')]",
            "properties": {
                "securityRules": [
                    {
                        "name": "allow_In_mgmtendpoint_for_Azure",
                        "properties": {
                            "description": "Management endpoint for Azure portal and Powershell",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "3443",
                            "sourceAddressPrefix": "ApiManagement",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 120,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_vnet_to_Azure_storage",
                        "properties": {
                            "description": "Dependency on Azure Storage",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Storage",
                            "access": "Allow",
                            "priority": 120,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [
                                "80",
                                "443"
                            ],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_aad",
                        "properties": {
                            "description": "Azure Active Directory (where applicable)",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "AzureActiveDirectory",
                            "access": "Allow",
                            "priority": 130,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [
                                "80",
                                "443"
                            ],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_Azure_SQL_endpoints",
                        "properties": {
                            "description": "Access to Azure SQL endpoints",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "1433",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Sql",
                            "access": "Allow",
                            "priority": 140,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_for_log_to_eventhub",
                        "properties": {
                            "description": "Dependency for Log to Event Hub policy and monitoring agent",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "EventHub",
                            "access": "Allow",
                            "priority": 150,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [
                                "5671",
                                "5672",
                                "443"
                            ],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_for_azurefileshare_forGit",
                        "properties": {
                            "description": "Dependency on Azure File Share for GIT",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "445",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Storage",
                            "access": "Allow",
                            "priority": 160,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_publish_healthstatus_toresourcehealth",
                        "properties": {
                            "description": "Needed to publish Health status to Resource Health",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "1886",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Internet",
                            "access": "Allow",
                            "priority": 170,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_publish_diaglogs_metrics",
                        "properties": {
                            "description": "Publish Diagnostics Logs and Metrics",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "443",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "AzureMonitor",
                            "access": "Allow",
                            "priority": 180,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_connect_ot_smtp_relay",
                        "properties": {
                            "description": "Connect to SMTP Relay for sending e-mails",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "25",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Internet",
                            "access": "Allow",
                            "priority": 190,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_to_connect_to_smtp_relay_for_emails",
                        "properties": {
                            "description": "Connect to SMTP Relay for sending e-mails",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "Internet",
                            "access": "Allow",
                            "priority": 200,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [
                                "587",
                                "25028"
                            ],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_out_for_azurecache_for_redis_insatnces_between_roleinstances",
                        "properties": {
                            "description": "Access Azure Cache for Redis Instances between RoleInstances",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "6381-6383",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 210,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_in_for_azure_infra_LB",
                        "properties": {
                            "description": "Azure Infrastructure Load Balancer",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "AzureLoadBalancer",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 130,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow_in_access_azurecache_for_redis_instances_between_roleinstances",
                        "properties": {
                            "description": "Access Azure Cache for Redis Instances between RoleInstances",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "6381-6383",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 140,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "Allow_https_443",
                        "properties": {
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "443",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 110,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "allow-out_for_DNS",
                        "properties": {
                            "description": "Outbound for communication with DNS servers",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "53",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 220,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    }
                ]
            }
        }
        
    ]
}

 

The following two tabs change content below.
Strategist. Technologist. Skeptic. Friend.
Chiyo OdikaNSGs for Azure APIM with VNET