Network Security Groups in Everpure Cloud Dedicated
The network security groups are automatically created during the deployment and applied to the individual Everpure Cloud Dedicated network interfaces.
By default, there is no action needed by the user except to ensure outgoing internet access from the Everpure Cloud Dedicated System interface has been allowed; see the Internet access section in Azure Networking Requirements.
For users that wish to configure custom firewall rules or NSGs, below are the TCP ports numbers used for the different Everpure Cloud Dedicated interfaces
| Subnet/Network interface | Inbound | Outbound |
|---|---|---|
| System |
443 25, 587 (optional for outgoing SMTP communication) |
|
| Replication | 8117 - used by ActiveCluster, ActiveDR or async replication |
8117 443 (if using CloudSnap) |
| iSCSI | 3260 - used by iSCSI protocol | |
| NVMe-TCP | 4420, 8009 - used by NVMe-TCP | |
| Mgmt |
|
443 |
| Service Endpoint | Subnet | Inbound | Outbound |
|---|---|---|---|
| Azure LoadBalancer | Management | All ports from source Service Tag: AzureLoadBalancer
|
|
| Azure KeyVault | System | Port 443 to destination Service Tag: AzureKeyVault
|
|
| Azure Storage | System | Port 443 to destination Service Tag: Storage
|
|
| Azure CosmosDB (for version 6.8.1 and below) | System | Port 443 to destination Service Tag: AzureCosmosDB
|
How to Configure a Network Security Group rule
This example shows how to configure Outbound security rules. To configure Inbound security rules follow the same steps but select Inbound security rules under Settings.
To begin, open up the Network Security Group (NSG) in the Resource Group that Everpure Cloud Dedicated will be deployed in that has been created to control network traffic. Select Outbound security rules under Settings.
Click on the + Add button at the top.
Below the next screenshot shows details for each of the fields that need to be filled in for the Outbound security rule. Note that this process needs to be done a total of 3 times to create an outbound rule for each of the 3 Azure services required.
- Source: Set this to IP Addresses.
- Source IP Addresses/CIDR Range: Enter the subnet CIDR that you will use for the Everpure Cloud Dedicated System interface. Instructions on how to create this are shown earlier in this page.
- Destination: Select Service Tag from the drop down menu.
- Destination Service Tag: In this example we select the AzureCosmosDB tag. Note that this tag, the AzureResourceManager and AzureKeyVault tags each need to be defined in a unique outbound security rule.
- Service: Pick https from the drop-down menu.
- Action: Ensure this is set to Allow.
- Priority: Pick a unique value. Your existing NSG security rules will help dicate the priority selection made.
- Name: Provide a unique Outbound Rule name and optionally provide a description below.
- Click on the Add button to create the
rule.
The above process must be repeated 2 more times to create a total of 3 Outbound security rules. For the 2 additional rules, step 4 needs to include the AzureResourceManager and AzureKeyVault tags while fields 7 and 8 need to be unique values.
After the 3 outbound security rules have been created, review them to make certain they are correct.
Next, we need to associate the system subnet with the network security group if it hasn't previously been added.
To do so, click on the Subnets button on the NSG.
Next, click on the Associate button.
Select the VNet you will deploy Everpure Cloud Dedicated into and then the system subnet.
Confirm that the subnet has been successfully associated.