Skip to content

Commit afd4963

Browse files
author
gitName
committed
restored workspace integration rules
1 parent 34d2d38 commit afd4963

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

articles/api-management/virtual-network-workspaces-resources.md

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,18 +63,33 @@ For virtual network injection, the subnet needs to be delegated to the **Microso
6363
> [!NOTE]
6464
> You might need to register the `Microsoft.Web/hostingEnvironments` resource provider in the subscription so that you can delegate the subnet to the service.
6565
66-
---
67-
68-
6966
## Network security group
7067

68+
#### [Virtual network integration](#tab/external)
69+
7170
[!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
7271

72+
73+
#### [Virtual network injection](#tab/internal)
74+
75+
A network security group (NSG) must be associated with the subnet. To set up a network security group, see [Create a network security group](../articles/virtual-network/manage-network-security-group.md).
76+
77+
* Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
78+
* Configure other outbound rules you need for the gateway to reach your API backends.
79+
* Configure other NSG rules to meet your organization’s network access requirements. For example, NSG rules can also be used to block outbound traffic to the internet and allow access only to resources in your virtual network.
80+
81+
| Direction | Source | Source port ranges | Destination | Destination port ranges | Protocol | Action | Purpose |
82+
|-------|--------------|----------|---------|------------|-----------|-----|--------|
83+
| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range | 80 | TCP | Allow | Allow internal health ping traffic |
84+
| Inbound | VirtualNetwork | * | Workspace gateway subnet range | 80,443 | TCP | Allow | Allow inbound traffic |
85+
| Outbound | VirtualNetwork | * | Storage | 443 | TCP | Allow | Dependency on Azure Storage |
86+
87+
---
88+
7389
> [!IMPORTANT]
7490
> * Inbound NSG rules do not apply when you integrate a workspace gateway in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
7591
> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
7692
77-
7893
## DNS settings for virtual network injection
7994

8095
For virtual network injection, you have to manage your own DNS to enable inbound access to your workspace gateway.

0 commit comments

Comments
 (0)