Azure – NSG: Block all outbount Internet traffic

azureazure-networkingnetworking

I understand the approach in the article "Step-by-Step: Automate Building Outbound Network Security Groups Rules via Azure Resource Manager (ARM) and PowerShell": Allow all internally used IP-subnets used by Azure and then block the outbound Internet traffic.

But I think this list of subnets is not static, today there are 437 subnets for West-Europe, which is near to the maximum of 500 NSG rules per NSG.

Resources like storage or Linux repositories use some of these subnets. They are not accessed with static IPs, there are Load Balancers deciding about the used service and its IP address. That's the reason to open all Azure subnets.

I have the requirement to block all traffic to "real Internet servers" and also make the needed internal services accessible.

Questions:

  1. When there are new subnets added and a Load Balancer decides to
    assign a service in this new subnet to my request, I will not be
    able to access it? This could result in a service degradation of
    my application. Is that correct?
  2. Are the newly announced "Service Endpoints" a solution for this problem?
  3. Is it planned to introduce another Default Tag usable in NSG rules
    in addition to "VirtualNetwork","AzureLoadBalancer" and
    "Internet" to address "External Internet" or "Azure Internal"?

Thanks in advance!

Links mentioned:

https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/

https://azure.microsoft.com/de-de/blog/announcing-virtual-network-integration-for-azure-storage-and-azure-sql/?cdn=disable

Best Answer

As you mention, the problem with blocking all traffic to the "internet" tag is that it also blocks access to Azure PaaS services. Previously the only way to deal with this was to allow access to the Azure IP ranges, but as you noted there are lots of these and they change reguarly, which is a pain. If a service you wants to access get's an IP that is not in the range your NSGs are programmed to allow outbound then yes, you will not be able to access it.

MS have started to address this issue through the use of service tags. These are tags similar to "Internet" that you can configure on an NSG rule, rather than having to specify the whole address ranges. There are some issues here, firstly the service is in preview, secondly it only encompasses storage and Azure SQL at the moment.

If SQL and Storage is all you need then you can go ahead and use these service tags to block access to "internet" and allow to "storage" and "SQL"

Related Topic