何时选择IP白名单而不是VNet对等连接?

huangapple go评论78阅读模式
英文:

When to choose IP Whitelisting over VNet peering?

问题

使用VNet互连可以将两个或多个VNets连接在一起。然而,我注意到在我们的组织中,一些人使用网络安全组(NSG)在VNets之间设置IP地址白名单。关于这一点,是否有什么优势或最佳实践?

英文:

To connect two VNets or more together, VNet peering can be used. However, I noticed that in my organization, some are using NSGs to whitelist IP addresses between VNets. Is there an advantage or best practices regarding that?

答案1

得分: 1

IP地址白名单通常不建议使用,如果可以避免的话,应该遵循零信任模式。

根据您的限制和组织规则,您可能希望利用VNet Peering集线器和分支拓扑(或者不使用),甚至VNet/区域间的私有链接用于PaaS(或者在负载均衡器后面的虚拟机),以确保流量通过Microsoft骨干网流动,而不是通过互联网,因为IP欺骗是一种常见攻击方式。

对于这类问题,我会始终参考Microsoft Well-Architected Framework

英文:

Whitelisting IPs is usually not recommended when you can avoid doing so, following Zero Trust pattern.

Depending on your constraints and organization rules, you might want to leverage VNet Peering with a Hub-and-Spoke topology (or not) or even Private Link across VNets/regions for PaaS (or VMs behind a Load Balancer) to make sure traffic is flowing via the Microsoft backbone and not via the Internet, IP spoofing being a common attack.

I would always refer to the Microsoft Well-Architected Framework for such questions.

huangapple
  • 本文由 发表于 2023年3月15日 20:04:39
  • 转载请务必保留本文链接:https://go.coder-hub.com/75744458.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定