Feb 06 2024 07:52 AM
Hi,
I have been trying to read documentation, but most likely I have used wrong search terms. But does anybody knows if the following kind of setup is possible on Azure?
The main idea behind this question is, if I have servers and willing to have centralized FW control for the traffic coming in or out to/from these VMs, is this an option? Or if I assign the public IP to the VM, that can go out directly and skipping the centralized FW?
All documents what I have see are speak about assigning the Public IP to the VMs, or having NATing, but with that we hit to the problem when port ranges extends widely.
Feb 08 2024 05:39 AM
Feb 08 2024 12:08 PM
I may be wrong but it seems to me that the idea here is to setup a traditional style DMZ network, where the endpoints (the VMs in this case) have a public IP but there is a firewall in front to do IPS/IDS and block/allow ports where required.
As far as I know the scenario in the picture is not possible. There is no scenario, afaik, where you could have a public prefix and have a firewall in front and use that to route traffic to the subnet (DMZ) behind it, as you could in a traditional network.
That said, it all depends on what your needs are:
If either scenario is not what you are trying to accomplish, you may need to explain a little further 😉
Feb 09 2024 07:36 AM
It is well guessed from @_AndreG 🙂 I indeed thought to setup kind of traditional DMZ solution on the Azure. And thanks to @jmoriss7 as well for your reply.
No, we are not willing to give public IPs to the servers 🙂 We tried to use the NATing with selected FW instances, but did not work as that requires external load balancer, and that is having limitations for the NATs.
Because of that I started to think if if I could associate the pIP to the host then. So the question was following the traditional DMZ solution where host have the public IP. Then FW takes care of the traffic filtering.
I have also tried to see how I could control the associated public IPs on the hosts, but that I have not been able to seen. But thanks to reminding the NSGs, I believe I need to take a look deeply that. Even so, we have aim to use already known FW instances (not Azure FW).
Load balancer would not working, as these are like a webRTC hosts and requires direct connections.
Feb 09 2024 10:55 AM
@Petri-X I am still a little confused as to what is not working when using Azure FW DNAT. You could assign an Azure Prefix to the Azure firewall and use DNAT to forward traffic from a specific public IP to a specific host server. An example could be like described here: Azure Firewall NAT Behaviors - Microsoft Community Hub
If you do not want to use Azure Firewall but a third party NVA it gets, I think, a bit more complicated. In that scenario you would definitely need to use a (standard) load balancer and the rules get a bit complicated from there. You can assign multiple public ips to the LB, but you'd need to either create load balancing rules to different (backend) ports on the NVA (and DNAT from there again) or have an NVA solution with multiple NICs. That does not scale very well depending on your needs.
Using a standard load balancer directly to a (group of) server(s) is an option, but that does have a minimum of 4 minutes idle timout.
Using public ips directly on the server is also an option but afaik you cannot do much with regards to IDS/IPS. You can use flow logs and Network Watcher traffic analysis to create some insights and potentially DDoS protection on the public ips.
I have no experience with webRTC so I cant be more specific 😞
Feb 10 2024 05:52 AM