gpt4 book ai didi

Azure 防火墙 : Most common Azure Firewall Policy Rule Collection Rules

转载 作者:行者123 更新时间:2023-12-03 02:05:05 26 4
gpt4 key购买 nike

系统要求我使用最常用的网络规则和应用程序规则配置 Azure 防火墙策略规则集合。

我收集了以下详细信息,其中捕获了最常用的网络规则和应用程序规则。但是我不确定我是否遗漏了任何被认为是最常见的规则?

resource "azurerm_firewall_policy_rule_collection_group" "fwpolrcg" {
name = "fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.fwpol.id
priority = 100

network_rule_collection {
name = "network_rule_collection1"
priority = 100
action = "Allow"

rule {
name = "AllowHubToSpokeRDP"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["3389"]
}

rule {
name = "AllowSpokeToHubRDP"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["3389"]
}

rule {
name = "AllowHubToSpokeHTTPS"
protocols = ["TCP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["443"]
}

rule {
name = "AllowSpokeToHubHTTPS"
protocols = ["TCP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["443"]
}

rule {
name = "AllowHubToSpokeDNS"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["53"]
}

rule {
name = "AllowSpokeToHubDNS"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["53"]
}
}

application_rule_collection {
name = "application_rule_collection1"
priority = 100
action = "Allow"

rule {
name = "Windows Update"
source_addresses = ["*"]
fqdn_tags = [
"AppServiceEnvironment",
"AzureBackup",
"AzureKubernetesService",
"HDInsight",
"MicrosoftActiveProtectionService",
"WindowsDiagnostics",
"WindowsUpdate",
"WindowsVirtualDesktop"]
}

rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]

destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}

rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]

destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}

rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]

destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}

rule {
name = "AllowAzure"
source_addresses = ["*"]

destination_fqdns = [
"*.azure.*"
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}
}

rule {
name = "AllowBing"
source_addresses = ["*"]

destination_fqdns = [
"*.bing.com"
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}

rule {
name = "AllowGoogle"
source_addresses = ["*"]

destination_fqdns = [
"*.google.com"
]

protocols {
port = "80"
type = "Http"
}

protocols {
port = "443"
type = "Https"
}
}

depends_on = [azurerm_firewall_policy.fwpol]
}

最佳答案

我尝试在我的环境中重现相同的内容,以使用 Terraform 创建 Azure 防火墙策略规则收集规则:

Note: Make sure that define all rules in collection section inorder to block or deny the action.

请参阅document使用 Terraform 创建Azure 防火墙集合组

Terraform 代码:​​

provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "Thejesh" {
name = "Thejesh-resources"
location = "West Europe"
}

resource "azurerm_firewall_policy" "example" {
name = "example-fwpolicy"
resource_group_name = azurerm_resource_group.Thejesh.name
location = azurerm_resource_group.Thejesh.location
}

resource "azurerm_firewall_policy_rule_collection_group" "example" {
name = "example-fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.example.id
priority = 500
application_rule_collection {
name = "app_rule_collection1"
priority = 500
action = "Deny"
rule {
name = "app_rule_collection1_rule1"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_addresses = ["10.0.0.1"]
destination_fqdns = ["*.microsoft.com","*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",]
}
}

network_rule_collection {
name = "network_rule_collection1"
priority = 400
action = "Deny"
rule {
name = "network_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1"]
destination_addresses = ["192.168.1.1", "192.168.1.2"]
destination_ports = ["80", "1000-2000"]
}
}

nat_rule_collection {
name = "nat_rule_collection1"
priority = 300
action = "Dnat"
rule {
name = "nat_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1", "10.0.0.2"]
destination_address = "192.168.1.1"
destination_ports = ["80"]
translated_address = "192.168.0.1"
translated_port = "8080"
}
}
}

地形计划:

enter image description here

Terraform 应用

enter image description here

运行使用 Azure 防火墙策略创建的代码资源。

enter image description here

Azure 防火墙内的规则集合。

enter image description here

Azure 防火墙中的应用程序规则:

enter image description here

关于Azure 防火墙 : Most common Azure Firewall Policy Rule Collection Rules,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75115475/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com