I’m doing some work on deploying Azure API Management inside a VNET in order to access backend services and had to enumerate a list of Network Security Group (NSG) rules to allow inbound and outbound traffic into the subnet in which API Management is deployed. Posting the JSON here so for easy reference. Still testing this out, so let me know if I missed any ports. Cheers!
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"nsgname": {
"type": "String",
"metadata": {
"description": "NSG Name"
}
},
"location": {
"type": "string",
"defaultValue":"[resourceGroup().location]",
"metadata": {
"description": "location value for all defined resources"
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-11-01",
"name": "[parameters('nsgname')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "allow_In_mgmtendpoint_for_Azure",
"properties": {
"description": "Management endpoint for Azure portal and Powershell",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3443",
"sourceAddressPrefix": "ApiManagement",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 120,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_vnet_to_Azure_storage",
"properties": {
"description": "Dependency on Azure Storage",
"protocol": "TCP",
"sourcePortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Storage",
"access": "Allow",
"priority": 120,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [
"80",
"443"
],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_aad",
"properties": {
"description": "Azure Active Directory (where applicable)",
"protocol": "TCP",
"sourcePortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "AzureActiveDirectory",
"access": "Allow",
"priority": 130,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [
"80",
"443"
],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_Azure_SQL_endpoints",
"properties": {
"description": "Access to Azure SQL endpoints",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "1433",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Sql",
"access": "Allow",
"priority": 140,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_for_log_to_eventhub",
"properties": {
"description": "Dependency for Log to Event Hub policy and monitoring agent",
"protocol": "TCP",
"sourcePortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "EventHub",
"access": "Allow",
"priority": 150,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [
"5671",
"5672",
"443"
],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_for_azurefileshare_forGit",
"properties": {
"description": "Dependency on Azure File Share for GIT",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "445",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Storage",
"access": "Allow",
"priority": 160,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_publish_healthstatus_toresourcehealth",
"properties": {
"description": "Needed to publish Health status to Resource Health",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "1886",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 170,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_publish_diaglogs_metrics",
"properties": {
"description": "Publish Diagnostics Logs and Metrics",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "AzureMonitor",
"access": "Allow",
"priority": 180,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_connect_ot_smtp_relay",
"properties": {
"description": "Connect to SMTP Relay for sending e-mails",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "25",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 190,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_to_connect_to_smtp_relay_for_emails",
"properties": {
"description": "Connect to SMTP Relay for sending e-mails",
"protocol": "TCP",
"sourcePortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 200,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [
"587",
"25028"
],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_out_for_azurecache_for_redis_insatnces_between_roleinstances",
"properties": {
"description": "Access Azure Cache for Redis Instances between RoleInstances",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "6381-6383",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 210,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_in_for_azure_infra_LB",
"properties": {
"description": "Azure Infrastructure Load Balancer",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 130,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow_in_access_azurecache_for_redis_instances_between_roleinstances",
"properties": {
"description": "Access Azure Cache for Redis Instances between RoleInstances",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "6381-6383",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 140,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "Allow_https_443",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 110,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "allow-out_for_DNS",
"properties": {
"description": "Outbound for communication with DNS servers",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "53",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 220,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
}
]
}
The following two tabs change content below.
Strategist. Technologist. Skeptic. Friend.
Latest posts by Chiyo Odika (see all)
- Replicate Proximity Placement Group workloads in Azure - January 13, 2021
- Azure NetApp Files (ANF) – Deploy with JSON - October 9, 2020
- Addressing Critical ZeroLogon Vulnerability CVE-2020-1472 - September 26, 2020