英文:
How to use Azure Firewall for ingress website traffic?
问题
在Azure上,我有一个运行在Windows虚拟机上的Web服务器,使用公共IP在IIS中运行一个网站,该公共IP用于我的域的DNS记录,我现在想要通过Azure防火墙对流向该网站的网络流量使用IDPS(入侵检测)。
我理解我必须以某种方式重新路由我的网络流量,使其通过Azure防火墙流动。
我的问题是,我是否需要更新我的域名上的DNS记录,将其指向Azure防火墙的公共IP地址,然后从那里路由到我的虚拟机?
或者...我是否根本不使用防火墙的公共IP,而是将防火墙置于所有流量的中间位置,使用路由表?
在DNS/域名的http流量背景下,推荐使用哪种Azure防火墙设置?
英文:
On Azure, I have a webserver (windows VM), that runs a website in IIS using a public IP that is used in my domain's DNS records, I now want to use IDPS (intrusion detection) for network traffic towards this website via Azure Firewall.
I understand that somehow I have to re-route my network traffic flow so that it flows through the Azure Firewall.
My question is, do I update my DNS records on my domain name to point to the public IP address of the Azure Firewall, and route it from there to my VM?
Or...do I not use the public IP of the firewall at all, and place the firewall 'in the middle' of all traffic using route tables?
What Azure Firewall setup is recommended in the context of http traffic from DNS/domainnames?
答案1
得分: 1
我创建了一个在IIS中运行网站的Web服务器,使用类似下面的公共IP地址:
我的问题是,我是否应该更新我的域名的DNS记录,以指向Azure防火墙的公共IP地址,然后从那里路由到我的虚拟机?
还是...我根本不使用防火墙的公共IP,而是将防火墙放在所有流量中间,使用路由表?
是的,您可以更新DNS记录,将其指向与您的Web服务器关联的公共IP地址,然后从那里路由到您的虚拟机。
您可以配置防火墙使用NAT规则来路由流量到您的Web服务器。这种方法允许您保留现有的DNS记录和IP地址。
通过这种配置,入站流量将直接传递到您的Web服务器。Azure防火墙将检查和过滤出站流量,提供入侵检测功能。
确保Azure防火墙规则已配置为允许适当的出站流量,并根据您的需求启用入侵检测功能。
此外,在路由表中配置默认路由将所有出站流量(0.0.0.0/0)定向到Azure防火墙的私有IP地址。
要详细了解,请查看以下参考资料:
Azure防火墙高级功能 | Microsoft Learn
Azure-docs/firewall/features · MicrosoftDocs/azure-docs· GitHub
英文:
I created webserver that runs a website in IIS using a public IP like below:
> My question is, do I update my DNS records on my domain name to point to the public IP address of the Azure Firewall, and route it from there to my VM?
>
> Or...do I not use the public IP of the firewall at all, and place the firewall 'in the middle' of all traffic using route tables?
Yes, you can update your DNS records to point to the public IP address associated with your web server and route it from there to your VM
you can configure the firewall to route traffic to your webserver using a NAT rule. This approach allows you to keep your existing DNS records and IP address.
With this configuration, inbound traffic will come directly to your web server. Azure Firewall will inspect and filter the outbound traffic, providing intrusion detection capabilities.
Ensure that the Azure Firewall rules are configured to permit appropriate outbound traffic and to enable the intrusion detection features based on your requirements.
Additionally, configuring default route in the route table directs all outbound traffic (0.0.0.0/0) to the private IP address of the Azure Firewall.
To know more in detail, check the below references:
Azure Firewall Premium features | Microsoft Learn
Azure-docs/firewall/features ·MicrosoftDocs/azure-docs· GitHub
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论