DEVHIDE
Login Or Sign up

Azure PostgreSQL Flexible Server Network Security Group Outbound Rules

650 Views Asked by At

We have an Azure PostgreSQL Flexible Server on a VNET subnet which we're trying to lock down as much as possible via NSG rules.

As per the Microsoft documentation we've added rules to cover the guidance given:

High availability Features of Azure Database for PostgreSQL - Flexible Server require ability to send\receive traffic to destination ports 5432, 6432 within Azure virtual network subnet where Azure Database for PostgreSQL - Flexible Server is deployed , as well as to Azure storage for log archival. If you create Network Security Groups (NSG) to deny traffic flow to or from your Azure Database for PostgreSQL - Flexible Server within the subnet where its deployed, please make sure to allow traffic to destination ports 5432 and 6432 within the subnet, and also to Azure storage by using service tag Azure Storage as a destination.

And we have added another rule to deny all other outbound traffic to lock things down further, but in the Network Watcher Flow Logs we're seeing blocked outbound traffic to port 443 from the PostgreSQL IP address.

The IP addresses being called are associated with Akamai and Microsoft when investigated, but we're a little puzzled what they may be doing and how to add relevant rules to cover this seemingly un-documented behaviour.

A sample of the outbound IP address calls being blocked:

  • 104.74.50.201
  • 23.0.237.118
  • 52.239.130.228

What are the best practices to lock things down but allow PostgreSQL to call out to what it needs to? Is there some more comprehensive documentation somewhere?

The outbound NSG rules: enter image description here

We understand that there's default rules in place, but we're trying to restrict traffic further to very specific resources.

postgresql azure vnet network-security-groups
Original Q&A
1

There are 1 best solutions below

0
Swarna Anipindi On

In my knowledge, recommended steps will be

  1. Create a new Priority rule to Deny all the traffic in Inbound and Outbound. On top we can create a new rule to allow traffic. enter image description here

  2. If applications that are deployed on subnets within the virtual network, allow only those subnet range on NSG inbound rule

Example: Deployed PostgresSQL with Vnet enter image description here

Address Space: 10.1.0.0/16 and Subnet range: 10.1.0.0/24 In Inbound always allow only specific port and Destination IP addresses enter image description here

  1. If application is consuming any load balancer / Cluster ip's we should allow only those IPs on outbound rules under destinationenter image description here

Related Questions in POSTGRESQL

Related Questions in AZURE

Related Questions in VNET

Related Questions in NETWORK-SECURITY-GROUPS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.