You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/environment/firewall-integration.md
+19-2Lines changed: 19 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to integrate with Azure Firewall to secure outbound traff
4
4
author: ccompy
5
5
ms.assetid: 955a4d84-94ca-418d-aa79-b57a5eb8cb85
6
6
ms.topic: article
7
-
ms.date: 01/14/2020
7
+
ms.date: 01/24/2020
8
8
ms.author: ccompy
9
9
ms.custom: seodec18
10
10
@@ -37,10 +37,12 @@ The traffic to and from an ASE must abide by the following conventions
37
37
38
38
## Locking down inbound management traffic
39
39
40
-
If your ASE subnet does not already have an NSG assigned to it, create one. Within the NSG set the first rule to allow traffic from the Service Tag named AppServiceManagement on ports 454, 455. This is all that is required from public IPs to manage your ASE. The addresses that are behind that Service Tag are only used to administer the Azure App Service. The management traffic that flows through these connections is encrypted and secured with authentication certificates. Typical traffic on this channel includes things like customer initiated commands and health probes.
40
+
If your ASE subnet does not already have an NSG assigned to it, create one. Within the NSG, set the first rule to allow traffic from the Service Tag named AppServiceManagement on ports 454, 455. The rule to allow access from the AppServiceManagement tag is the only thing that is required from public IPs to manage your ASE. The addresses that are behind that Service Tag are only used to administer the Azure App Service. The management traffic that flows through these connections is encrypted and secured with authentication certificates. Typical traffic on this channel includes things like customer initiated commands and health probes.
41
41
42
42
ASEs that are made through the portal with a new subnet are made with an NSG that contains the allow rule for the AppServiceManagement tag.
43
43
44
+
Your ASE must also allow inbound requests from the Load Balancer tag on port 16001. The requests from the Load Balancer on port 16001 are keep alive checks between the Load Balancer and the ASE front ends. If port 16001 is blocked, your ASE will go unhealthy.
45
+
44
46
## Configuring Azure Firewall with your ASE
45
47
46
48
The steps to lock down egress from your existing ASE with Azure Firewall are:
@@ -270,6 +272,21 @@ Linux is not available in US Gov regions and is thus not listed as an optional c
270
272
| Azure Storage |
271
273
| Azure Event Hub |
272
274
275
+
#### IP Address dependencies
276
+
277
+
| Endpoint | Details |
278
+
|----------| ----- |
279
+
|\*:123 | NTP clock check. Traffic is checked at multiple endpoints on port 123 |
280
+
|\*:12000 | This port is used for some system monitoring. If blocked, then some issues will be harder to triage but your ASE will continue to operate |
281
+
| 40.77.24.27:80 | Needed to monitor and alert on ASE problems |
282
+
| 40.77.24.27:443 | Needed to monitor and alert on ASE problems |
283
+
| 13.90.249.229:80 | Needed to monitor and alert on ASE problems |
284
+
| 13.90.249.229:443 | Needed to monitor and alert on ASE problems |
285
+
| 104.45.230.69:80 | Needed to monitor and alert on ASE problems |
286
+
| 104.45.230.69:443 | Needed to monitor and alert on ASE problems |
287
+
| 13.82.184.151:80 | Needed to monitor and alert on ASE problems |
288
+
| 13.82.184.151:443 | Needed to monitor and alert on ASE problems |
0 commit comments