Firewall rule in ACR & Azure DevOps - azure-container-service

How to specify firewall rules in ACR when build & release pipelines are defined in Azure DevOps? Release pipeline (pull) may not have issue as the vnet of AKS service cidr can be allowed access in firewall rules but what about push that will go through build pipeline

The firewall of the ACR shows that when you enable it and allow the vnet to access the ACR. Then the resources in the vnet can access the ACR with the actions that pull and push the images and others. The IP address or the CIDR for the firewall means the IP address of the machine that you use to send the control requests.
For example, if you want to push the images to the ACR, and you also enable the firewall of the ACR, then you need to add the public IP of your local machine as the IP address of the ACR firewall rule.
When you use the Azure DevOps to create the tasks to control the ACR, I think you need to add the public IP of the Azure DevOps to the ACR firewall rule.

Related

How to prevent IP spoofing for Azure VMs?

I have an Azure web app which talks to the Azure VMs via Azure Load balancer. The VMs have NSG rules setup. The VMs are also being used by other servers/web apps. How do I prevent someone impersonating the IP and trying to get access to the VMs? Or how do I add another layer of security other than whitelisting the client IPs in the NSG of the VMs?
To secure Azure VMs, please try the following workarounds:
Make use of Azure Bastion, to securely connect to virtual machines from Azure Portal over TLS. If you are using Azure Bastion there is no need to create public IP on the Azure VM.
Try creating DDoS protection plan and enable it to your virtual network. DDoS protection plan is a paid service that offers enhanced DDoS mitigation capabilities.
Make use of Azure Firewall which filters IPs by denying traffic from known malicious IP addresses.
Enable all the above options in your virtual network like below:
Otherwise,
Make use of JIT (just-in-time) VM access that allows only legitimate users to access the VM when necessary by reducing the attack.
Try using VPN gateways which send encrypted traffic between Azure virtual networks. Please note that each virtual network can have only one VPN gateway.
For more information, please refer below links:
How to secure a Windows Server virtual machine in Azure (microsoft.com).
Best practices for defending Azure Virtual Machines - Microsoft Security Blog.

How do I remove Azure network security config rules that blocked RDP and all SQL Server access on Azure VM?

Azure network manager security configuration “NRMS-ZeroTrust...” created 54 inbound port rules on my Azure VM which closed my active RDP session and blocked all access to SQL Server.
Is anyone else having a similar issue with their Network Manager (preview)? A screen print of my Azure VM Networking and Vnet Network Manager is below although in preview it looks like stackOverflow has blacked out the rule information you need to see.
I have selected “leave preview” but this didn’t remove the rules.
I see the Remove and update Azure Virtual Network Manager Preview components checklist, but I have no idea what “undeploy the security admin configuration deployment” means as there is no link in the doc. Unlike all the other Azure VM Networking Inbound Port Rules, you can't drill into or delete the rules created by the ZeroTrust config. Creating a rule to explicitly allow the IP of my workstation is ignored.
• You can surely ‘undeploy the security admin configuration deployment’ that has been enabled by accessing the NSG (Network Security Group) of your VM. Also, as you stated that the ‘Zero Trust’ configuration deployed has blocked your access to the VM through RDP and to the SQL Server, it is as such blocked because the similar kind of rules have been configured on the Azure Network Manager with regards to the virtual network in which your VM is configured.
• Also, a security admin rule allows you to enforce security policy criteria that match the conditions set. You can only define security administrative rules for resources within the scope of the Azure Virtual Network Manager instance. These security rules have a higher priority than network security group (NSG) rules and will get evaluated before NSG rules. Also note that security admin rules don't change your NSG rules.
Security admin rules can be used to enforce security rules. For example, an administrator can deny all high-risk ports or protocol from the Internet with security admin rules because these security admin rules will be evaluated prior to all NSG rules as that have been done with you.
• Thus, to configure the security admin configuration to modify the Zero trust rules set for the network group of which your virtual network is a member, go to your VM’s NSG --> Under ‘Support + Troubleshooting’, select ‘Effective security rules’, in that check the name of the ‘Associated Azure Network Manager’ and select it, then select the ‘Configurations’ option under ‘Settings’, in that check the security configuration rule collection set and modify the rules or remove them from that collection set and save it. Once done, you should be able to access the VM over RDP and the SQL Server over its ports. In this way, you can modify the ‘Zero Trust’ network configuration rules for a VM.
Please find the below snapshot of the above said settings in my tenant: -
Please note that you need to have ‘Subscription Admin’ permissions to configure and modify the network manager settings. Also, refer to the below article for detailed configuration and deployment of Azure Virtual network Manager: -
https://virtualizationreview.com/articles/2021/11/03/azure-virtual-network-manager.aspx

Does Azure networking use anti-spoofing and not route packets with unrecognised source IP addresses?

I have a non-azure, non-Windows, non-microsoft site-to-site tunnel set up between an Azure cloud environment and an on-premise LAN; at the azure end, the proprietary (non-microsoft) S2S host sits behind an Azure load balancer.
The proprietary tunnel is route-based and as such, I'd like to route connections all the way from our on-premise network to various resources in Azure.
e.g.
OnPrem Server -> OnPremFw -> (tunnel) -> CloudFW -> LB -> vNET1 -> vNET2 -> VMtarget
When packets hit the CloudFW, they are being "Hidden NAT'd", so the source IP address is translated from its On-premise IP address to an IP address recognised by Azure as directly associated with an Azure subnet range. In this case, things work as expected.
However, if I turn off the H-NAT, so that packets carry their original on-prem source IP address in to Azure, then no matter what security or routing rules I apply, nothing works.
Is it plausible that Azure is passively dropping these packets, or is silently screening them out, something like address spoofing?
I can't find any Azure documentation confirming this, but the behaviour I am seeing strongly implies this must be the case. Could anyone confirm?
I would like to know if essentially, it isn't possible to use "non-Azure" IP addresses in Azure routing and security configurations.
thanks
The answer to this question is No.
It is possible to use non-Azure-defined IP addresses in Azure route table rules and in Azure nsg rules.

Add Peering Does Not Detect Gateway Subnet

Repro
1. Via Azure Portal Add Vnet
2. Go Back into VNet just created and add Gateway Subnet.
3. From within same VNet try to add Peering, select peer Vnet and check "Allow gateway transit" checkbox.
Results - "Neither vnet-xxx nor vnet-yyy has a gateway configured. The gateway transit setting requires there to be a gateway in one virtual network in the peering. Please unselect the gateway transit setting to continue, or navigate to one of the virtual networks and add a gateway."
I have many other VNets and peering setup in the same manner and they all work. Going into the vnet peering configuration I can see the same error message however the checkbox is checked and it works.
The UI for adding a peering appears to have changed since I have added a Vnet and peering as I have never seen this error message prior using the old configuration UI for a peering.
FWIW I am trying to create a Vnet to be used by an app service that will peer to a Vnet that I have my managed SQL connected.
As the error message indicates that you have to have a gateway configured in one of the peering VNets when enabling the gateway transit. Only adding Gateway Subnet is not the process, you have to deploy a VPN gateway in the VNet in this case.
If you want to use VNet integration(add VNet preview), No gateway is required to use it and web app and VNet must be in the same region. But it seems that you do not use gateway transit due to lack of gateway configured in this case. Document just states this,
If you are using peering with the regional VNet Integration, you do
not need to do any additional configuration.
It indicates that only existing VNet supports gateway transit currently. Not sure new VNet integration will support this feature in the future since it's still in preview. Additionally, you can get more details from another question about existing VNet integration and VNet peering I answered.

Access Azure SQL Database when connected to VNET via Client Gateway

I have an Azure Virtual network and I connect to the network using Point-to-point with the VPN client downloaded from Azure. This works as expected as I can now RDP to VMs in the VNet if required.
I also have an Azure SQL Server instance and in the firewall section I have added the VNet above to the Virtual networks rule list.
With my work laptop, I was now hoping that I would be able to connect to the VNet using the VPN client and then be able to access the SQL database using SSMS. However, when I try and connect I get a message telling me that I cannot access the server and instead need to add my client IP to the Firewall rule list, which is what I was trying to avoid doing.
Is there something else I need to be doing here to get this working?
Is there something else I need to be doing here to get this working?
If you just use an Azure SQL Database, which is a Paas in Azure, itself is not located inside a VNet. You can directly add the client Public IP in the firewall of Azure SQL Server. Whereas this is not your expectation. You need to make it inside a VNet, then you can do these followings.
If you are using a SQL Managed instance which located inside a VNet, want to access the Database instance from on-premises with a private address, you need to make a VPN connection or ExpressRoute connection between the on-premise and the Managed Instance VNet.
Now, you have a P2S VPN connection, you still need to make VNet peering with Gateway Transit between the P2S VNet with SQL instance VNet. Note: To use remote gateways or allow gateway transit, the peered virtual networks must be in the same region. To do so, make the following very specific changes under the Peering settings.
In the VNet that hosts the VPN gateway, go to Peerings, then to the
Managed Instance peered VNet connection, and then click Allow
Gateway Transit.
In the VNet that hosts the Managed Instance, go to Peerings, then to
the VPN Gateway peered VNet connection, and then click Use remote
gateways.
Once the peering complete, you can check the status on the Azure portal. You need to remove the VPN client and re-download it and re-install it on your laptop, this will make the route update on your client side.
If you've established on-premises to Azure connection successfully and you can't establish a connection to Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as 11000-12000 range of ports for redirection.
For more reference, you can read Connect your application to Azure SQL Database Managed Instance.