英文:
When to choose IP Whitelisting over VNet peering?
问题
使用VNet互连可以将两个或多个VNets连接在一起。然而,我注意到在我们的组织中,一些人使用网络安全组(NSG)在VNets之间设置IP地址白名单。关于这一点,是否有什么优势或最佳实践?
英文:
To connect two VNets or more together, VNet peering can be used. However, I noticed that in my organization, some are using NSGs to whitelist IP addresses between VNets. Is there an advantage or best practices regarding that?
答案1
得分: 1
IP地址白名单通常不建议使用,如果可以避免的话,应该遵循零信任模式。
根据您的限制和组织规则,您可能希望利用VNet Peering与集线器和分支拓扑(或者不使用),甚至VNet/区域间的私有链接用于PaaS(或者在负载均衡器后面的虚拟机),以确保流量通过Microsoft骨干网流动,而不是通过互联网,因为IP欺骗是一种常见攻击方式。
对于这类问题,我会始终参考Microsoft Well-Architected Framework。
英文:
Whitelisting IPs is usually not recommended when you can avoid doing so, following Zero Trust pattern.
Depending on your constraints and organization rules, you might want to leverage VNet Peering with a Hub-and-Spoke topology (or not) or even Private Link across VNets/regions for PaaS (or VMs behind a Load Balancer) to make sure traffic is flowing via the Microsoft backbone and not via the Internet, IP spoofing being a common attack.
I would always refer to the Microsoft Well-Architected Framework for such questions.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论