英文:
Deployment of NSG for Application Gateway V2 fails
问题
我遇到部署网络安全组(Network Security Group,NSG)时遇到了一些问题,该安全组用于应用程序网关(Application Gateway,AG)所在的子网。在部署过程中,我遇到了以下错误:
网络安全组 nsg-acc-waf 阻止对子网 snet-acc-waf 上的端口 65200 - 65535 的入站互联网流量,该子网与应用程序网关 agw-acc 相关联。对于具有 V2 Sku 的应用程序网关,不允许这样做。
根据配置说明(https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips)一切看起来都很正常。
这是我根据上述说明创建的 Bicep 代码,我的问题与 nsgRule110 相关:
资源 wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
名称: 'nsg-${environmentName}-waf'
位置: 位置
资源 nsgRule100 'securityRules' = {
名称: 'AllowPublicIPAddress'
属性: {
访问: 'Allow'
描述: '允许来自公共 IP 地址的流量。'
目标地址前缀: '*'
目标端口范围: '443'
方向: '入站'
优先级: 100
协议: 'Tcp'
源地址前缀: publicIpAddress
源端口范围: '*'
}
}
// 其他规则类似,这里只展示了一部分
...
}
我尝试过将 sourceAddressPrefix 设置为 'Internet' 和 ' * '(其中星号表示任何),详细信息在此处回答过:https://stackoverflow.com/questions/52674810/azure-app-gateway-v2-cannot-be-configured-with-nsg/52697957#52697957 和 https://stackoverflow.com/questions/53515857/add-nsg-to-application-gateway-subnet/53515905#53515905
我搞不清楚问题出在哪里。看起来只有在部署期间才会触发此验证规则。
我尝试手动添加规则,当与子网绑定时,这样做可以。还尝试过在部署时将 NSG 添加而不是直接绑定到子网,然后手动绑定似乎也可以。唯一不起作用的情况是当 NSG 已绑定到子网(被 AG 使用),然后再次部署时。
有人能帮忙解决这个问题吗?
英文:
I'm running into some trouble with deployment of a Network Security Group (NSG) for a subnet in which an Application Gateway (AG) is placed.
During deployment I get the following error (I removed the resource paths for readability):
> Network security group nsg-acc-waf blocks incoming internet traffic on ports 65200 - 65535 to subnet snet-acc-waf, associated with Application Gateway agw-acc. This is not permitted for Application Gateways that have V2 Sku.
All looks good according to the configuration instructions on https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips
Here's the Bicep that I've created with above instructions and my question is regarding nsgRule110:
resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: 'nsg-${environmentName}-waf'
location: location
resource nsgRule100 'securityRules' = {
name: 'AllowPublicIPAddress'
properties: {
access: 'Allow'
description: 'Allow traffic from Public IP Address.'
destinationAddressPrefix: '*'
destinationPortRange: '443'
direction: 'Inbound'
priority: 100
protocol: 'Tcp'
sourceAddressPrefix: publicIpAddress
sourcePortRange: '*'
}
}
resource nsgRule101 'securityRules' = {
name: 'AllowInternetAccess'
properties: {
access: 'Allow'
description: 'Allow traffic from Internet on port 443.'
destinationAddressPrefix: '*'
destinationPortRange: '443'
direction: 'Inbound'
priority: 101
protocol: 'Tcp'
sourceAddressPrefix: 'Internet'
sourcePortRange: '*'
}
}
resource nsgRule110 'securityRules' = {
name: 'AllowGatewayManager'
properties: {
access: 'Allow'
description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 110
protocol: '*'
sourceAddressPrefix: 'GatewayManager'
sourcePortRange: '*'
}
}
resource nsgRule120 'securityRules' = {
name: 'AllowAzureLoadBalancer'
properties: {
access: 'Allow'
description: 'Allow traffic from AzureLoadBalancer.'
destinationAddressPrefix: '*'
destinationPortRange: '*'
direction: 'Inbound'
priority: 120
protocol: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
sourcePortRange: '*'
}
}
resource nsgRule4096 'securityRules' = {
name: 'DenyAllInboundInternet'
properties: {
access: 'Deny'
description: 'Deny all traffic from Internet.'
destinationAddressPrefix: '*'
destinationPortRange: '*'
direction: 'Inbound'
priority: 4096
protocol: '*'
sourceAddressPrefix: 'Internet'
sourcePortRange: '*'
}
}
}
I've also tried setting sourceAddressPrefix: 'Internet' and sourceAddressPrefix: '*' (where the astrix is Any). Answered in: https://stackoverflow.com/questions/52674810/azure-app-gateway-v2-cannot-be-configured-with-nsg/52697957#52697957 and https://stackoverflow.com/questions/53515857/add-nsg-to-application-gateway-subnet/53515905#53515905
I can't figure out what's wrong with it. It looks like only during deployment this validation rule is triggered.
I've tried adding the rules manually, when bound to the subnet, and that works. Also adding the NSG without binding it directly to the subnet via deployment, but eventually binding it manually seems to work.
The only case it doesn't work is when the NSG is already bound to the subnet (used by the AG) and then (re-)deployed.
Is there anybody able to help me with this please?
答案1
得分: 0
I can provide the translated text for you:
根据显示的错误消息,NSG 正在阻止端口范围为 65200 - 65535 的入站互联网流量到子网 snet-acc-waf,该子网与应用程序网关 agw-acc 相关联。这就是为什么你遇到了这个阻止情况。
参考此文档以获取 应用程序网关基础设施配置。
由于你已经为 nsgrule110 指定了 'destinationPortRange: '65200-65535',它将不再阻止此范围内的端口。如果需要,你可以为其他网络规则添加相同的设置,如下所示。
resource nsgRule120 'securityRules' = {
name: ''
properties: {
access: 'Allow'
description: '允许流量'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 120
protocol: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
sourcePortRange: '*'
}
}
我在我的环境中尝试了与你相同的代码,成功运行,如下面的快照所示。
部署成功:
英文:
As error message shown, the NSG is blocking incoming internet traffic on ports 65200 - 65535 to subnet snet-acc-waf, which is associated with Application Gateway agw-acc. That is why you are getting this blocker.
Refer this document for Application gateway infrastructure configuration.
As you already specified the 'destinationPortRange: '65200-65535' for the nsgrule110, it will no longer block ports within this range. You can add the same for other network rules if needed as follows.
resource nsgRule120 'securityRules' = {
name: ''
properties: {
access: 'Allow'
description: 'Allow traffic'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 120
protocol: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
sourcePortRange: '*'
}
}
I tried the same code as yours in my environment and it worked successfully, as shown in the snapshot below.
Deployment succeeded:
答案2
得分: -1
以下是翻译的代码部分:
经过多次尝试和错误,我发现问题出在 Bicep 中。首先,我在 NSG 规则中使用了嵌套资源。但是 NSG 本身具有属性 securityRules,您也可以在其中添加这些 NSG 规则,但有一个区别;它会立即将 NSG 规则添加到 NSG。另一种方法,使用嵌套资源,将它们添加到部署期间(因此验证器认为它没有 GatewayManager 规则),这将触发验证规则。
所以下面是有效的代码示例 
resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: 'nsg-${environmentName}-waf'
location: location
properties: {
securityRules: [
{
name: 'AllowGatewayManager'
properties: {
access: 'Allow'
description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 100
protocol: '*'
sourceAddressPrefix: 'GatewayManager'
sourcePortRange: '*'
}
}
// 在这里添加其他 NSG 规则
]
}
}
英文:
After a lot of trial and error, I found the issue was in the Bicep. First, I was using nested resources for the NSG rules. But the NSG itself has a property securityRules where you can also add these NSG rules, but it has one difference; it will add the NSG rules immediately to the NSG. The other method, using the nested resource will add them later on during deployment (so the validator thinks it doesn't have the GatewayManager rule) and this will make the validation rule go off.
So here's a sample of the code that works
resource wafNsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: 'nsg-${environmentName}-waf'
location: location
properties: {
securityRules: [
{
name: 'AllowGatewayManager'
properties: {
access: 'Allow'
description: 'Allow traffic from GatewayManager. This port range is required for Azure infrastructure communication.'
destinationAddressPrefix: '*'
destinationPortRange: '65200-65535'
direction: 'Inbound'
priority: 100
protocol: '*'
sourceAddressPrefix: 'GatewayManager'
sourcePortRange: '*'
}
}
// put additional NSG rules here
]
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论