EDIT: This question was originally asked during the legacy ASM days. Things are significantly different and the introduction of Network Security Groups makes this trivial to implement in a modern Azure environment.
I have a three-tier application running in Azure VMs.
This application has two back-end tiers and a web tier. This is split up into three cloud services – one for each tier.
The two back-end tiers use Azure Internal Load Balancing.
The web-tier only needs to communicate to the back-end on port 443.
Is it feasible to create a second VNet and use VNet-to-VNet connectivity for the front-end servers and put an ACL on it, so that it can only communicate with the back-end servers over 443? If so, where do I configure this ACL? Under no circumstances should the back-end servers be exposed to the Internet directly.
Best Answer
Edit:
This is not possible. See this: Currently, you can specify network ACLs for endpoints only. You can’t specify an ACL for a virtual network or a specific subnet contained in a virtual network. Also, the Virtual Network Security Whitepaper might be useful.
Have a look here
Basically, yes, you can have your front-end-server in one vnet, and your back-end server in another, and then restrict the access to the back-end using ACL's.
What you cannot do is restrict communication between the back-end servers using ACL's if they are in the same VNet. You need Windows Firewall or other measures for that.
To configure this, once you have your back-end servers in a VNet, use the "Endpoints" configuration of the back-end servers and add your
HTTPS/443endpoint. Then, still on this endpoint, click "MANAGE ACL" on the bottom. Now, PERMIT your front-end network or just the/32IP Address(es), andDENYeverything else (0.0.0.0/0)See the guide for more details