Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual machine? - TagMerge
3Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual machine?Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual machine?

Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual machine?

Asked 5 months ago
0
3 answers

If you mean if this is possible for Network Security Groups - No, it is not. NSGs do not have such a functionality.

But if you are looking for a solution, you could probably automate this by using an Azure function/Automation Runbook

Let the Function/Runbook do a NSLOOKUP and then have the function update the NSG with the IP it gets from that result. Note that I use the word UPDATE and not add. :)

EDIT: Going forward with Runbooks, as it is a bit smaller of a step for things to (want to) understand: https://azure.microsoft.com/nl-nl/blog/azure-automation-runbook-management/

When you create the Automation Account, create it with a system identity. After it is created, it will provide you with two default runbooks which already contain some code. The sample code provides you with the way to authenticate from the runbook against Azure. So you can leave the first bit in the Runbook.

Then add whatever code you need below, example:

#Example from here: https://tom-henderson.github.io/2016/09/14/azure-runbooks
$uri = '<DNS_ADDRESS_HERE>'
$ipaddress = [system.net.dns]::GetHostByName($uri).AddressList.IPAddressToString

#Now you need to grab the NSG which is providing whitelisting for your Azure Virtual Machine: https://docs.microsoft.com/en-us/powershell/module/az.network/get-aznetworksecuritygroup?view=azps-6.6.0
$nsg = get-aznetworksecuritygroup -ResourceGroupName '<RG_NAME_HERE>' -Name '<NSG_NAME_HERE>'

#Then update one of the rules: https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecurityruleconfig?view=azps-6.6.0
#I think with those two example pages you should get what you are looking for.

After you got the runbook working like you need it to, you put a schedule on it to run whenever or how often you want.

Now you also should give the Identity your Runbook has permissions to update the NSG. Because otherwise it will just tell you it has insufficient permissions. Personally I prefer to make custom roles, so I can limit the permissions to what they need to be. In your case it might be easier to simply do:

  • Open the Automation Account in your resource group
  • Scroll down to Identity
  • click on Azure Role Assignments
  • Select Contributor
  • Click Add role assignment button
  • For scope select resource group, for role select Contributor, the rest should already be auto-filled.

Create the role assignment. And you're done.

If you are concerned about permissions, i suggest you read up on RBAC, Azure Resource Provider Operations (Not to be confused with Azure AD roles), custom role definitions, and role assignments.

Source: link

0

The following section includes the most common domain URLs to support sign in and licensing connections.
https://*.dev.azure.com
https://*.vsassets.io
https://*gallerycdn.vsassets.io
https://*vstmrblob.vsassets.io
https://aadcdn.msauth.net
https://aadcdn.msftauth.net
https://aex.dev.azure.com
https://aexprodea1.vsaex.visualstudio.com
https://amcdn.msftauth.net
https://amp.azure.net
https://app.vssps.dev.azure.com
https://app.vssps.visualstudio.com
https://*.vsblob.visualstudio.com
https://*.vssps.visualstudio.com
https://*.vstmr.visualstudio.com
https://azure.microsoft.com
https://azurecomcdn.azureedge.net
https://cdn.vsassets.io
https://dev.azure.com
https://go.microsoft.com
https://graph.microsoft.com
https://live.com
https://login.live.com
https://login.microsoftonline.com
https://management.azure.com
https://management.core.windows.net
https://microsoft.com
https://microsoftonline.com
https://static2.sharepointonline.com
https://visualstudio.com
https://vsrm.dev.azure.com
https://vstsagentpackage.azureedge.net
https://windows.net
https://login.microsoftonline.com
https://app.vssps.visualstudio.com 
https://{organization_name}.visualstudio.com
https://{organization_name}.vsrm.visualstudio.com
https://{organization_name}.vstmr.visualstudio.com
https://{organization_name}.pkgs.visualstudio.com
https://{organization_name}.vssps.visualstudio.com
Azure DevOps uses Content Delivery Networks (CDNs) to serve static content. Users in China should also add the following domain URLs to an allowlist:
https://*.vsassetscdn.azure.cn
https://*.gallerycdn.azure.cn
Ensure the following domain URLs are allowed for Azure Artifacts:
https://*.blob.core.windows.net
https://*.visualstudio.com
Ensure the following domain URLs are allowed for NuGet connections:
https://azurewebsites.net
https://nuget.org
If you need to connect to Git repositories on Azure DevOps with SSH, allow requests to port 22 for the following hosts:
ssh.dev.azure.com
vs-ssh.visualstudio.com

Source: link

0

@echo off
@echo Installing "IPv4 Address and Domain Restrictions" feature 
powershell -ExecutionPolicy Unrestricted -command "Install-WindowsFeature Web-IP-Security"
@echo Unlocking configuration for "IPv4 Address and Domain Restrictions" feature 
%windir%\system32\inetsrv\AppCmd.exe unlock config -section:system.webServer/security/ipSecurity
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="BlogSpecificIP" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6">
  <WebRole name="WebRole1" vmsize="Standard_D1_v2">    
    <Startup>
      <Task commandLine="startup.cmd" executionContext="elevated" />
    </Startup>
  </WebRole>
</ServiceDefinition>
<system.webServer>
	  <security>
		  <!--Unlisted IP addresses are granted access-->
		  <ipSecurity>
			  <!--The following IP addresses are denied access-->
			  <add allowed="false" ipAddress="denied IP address" subnetMask="releated subnetMask" />			  
		  </ipSecurity>
	  </security>	  
  </system.webServer>
<system.webServer>
	  <security>
		  <!--Unlisted IP addresses are granted access-->
		  <ipSecurity>
			  <!--The following IP addresses are denied access-->
			  <add allowed="true" ipAddress="allowed IP address" subnetMask="releated subnetMask" />			  
		  </ipSecurity>
	  </security>	  
  </system.webServer>
<ServiceDefinition name="Blogfirewallblock" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6">
  <WebRole name="WebRole1" vmsize="Standard_D1_v2">   
    <Startup>
      <Task commandLine="BlockIP.cmd" executionContext="elevated" taskType="simple" />
    </Startup>
  </WebRole>
</ServiceDefinition>

Source: link

Recent Questions on azure

    Programming Languages