我正在尝试做的详细信息如下图
客户端只能通过端口 X 上的标准 Azure 负载均衡器连接到 VM1 和 VM2,不能直接连接到 VM IP 地址
我们在 LB 中有一条规则将端口 X 上的流量传递到后端池,后端池由 VM1 和 VM2 组成
粘性会话设置为客户端 IP
此规则没有运行状况探测
虚拟机上的 Windows 防火墙已停用
NSG 规则设置到目前为止已尝试
场景1
netcat exposing port X on VM1 and VM2
NSG rule allowing traffic from Client IP to Load Balancer IP
DENY all inbound
From Client
telnet 10.100.23.4 X - Connection Failed
telnet 10.100.23.5 X - Connection Failed
telnet 10.100.23.6 X - Connection Failed
情景2
netcat exposing port X on VM1 and VM2
NSG rule allowing traffic from Client IP to Load Balancer IP on port X
NSG rule allowing traffic from Internal LB IP to entire subnet on all ports
DENY all inbound
From Client
telnet 10.100.23.4 X - Connection Failed
telnet 10.100.23.5 X - Connection Failed
telnet 10.100.23.6 X - Connection Failed
场景3
netcat exposing port X on VM1 and VM2
NSG rule allowing traffic from Client IP to Load Balancer IP on port X
NSG rule allowing traffic from Internal LB IP to entire subnet on all ports
NSG rule allowing traffic from Client IP to VM1 and VM2 IP
DENY all inbound
From Client
telnet 10.100.23.4 X - Connection Succeeded
telnet 10.100.23.5 X - Connection Succeeded
telnet 10.100.23.6 X - Connection Succeeded
有谁知道我可以用来拒绝从客户端直接访问 VM1 和 VM2,同时允许流量通过 LB 到 VM 的 NSG 规则的组合?
我觉得我在这里错过了一个技巧,因为这似乎是安全明智的标准做法。