Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidelines if you're using Azure Firewall with an Azure Managed Lustre file system. A common architecture is to use hub virtual networks for the firewall and spoke virtual networks for services like Managed Lustre. In most scenarios, a spoke should be peered only to a single hub network. The peered hub network should be in the same region as the spoke. For more information about this architecture, see Hub-spoke network topology in Azure.
Azure Firewall is a cloud-native, intelligent network firewall security service that offers top-tier threat protection for your Azure cloud workloads. It's a fully stateful firewall as a service (FWaaS), featuring built-in high availability and unlimited cloud scalability. For more information, see Azure Firewall.
Prerequisites
- A virtual network with a subnet configured for Managed Lustre support. To learn more, see Networking prerequisites.
- An instance of Azure Firewall. If you don't have Azure Firewall, see Deploy and configure Azure Firewall Basic and policy in the Azure portal.
Add Azure Firewall policy rule sets
An Azure Firewall policy is a top-level resource that contains security and operational settings for Azure Firewall. You can use an Azure Firewall policy to manage rule sets that Azure Firewall uses to filter traffic. The policy organizes, prioritizes, and processes rule sets based on a hierarchy that has the following components: rule collection groups, rule collections, and rules. For more information, see Azure Firewall policy rule sets.
If you don't have a rule collection group, create one. For more information, see Rule collection groups.
Add application rules
Application rules allow Managed Lustre to access essential services. For Microsoft fully qualified domain names (FQDNs), essential services include Azure Blob Storage, metrics, diagnostics, and health monitoring. Non-Microsoft FQDNs allow access to operating system security updates, security scanners, and Azure Load Balancer.
To create an application rule collection:
In your firewall policy, under Rules, select Application rules.
Select Add a rule collection.
Enter a name for the rule collection. For example, use LustreApplicationRules.
For Rule collection type, use Application. Then enter a priority value, such as 200.
For Rule collection action, use Allow. For Rule collection group, use DefaultApplicationRuleCollectionGroup.
In the Rules section, add two rules:
Name Source type Source Protocol Destination type Destination AllowMicrosoftFQDNsIP address http:80,https:443Managed-Lustre-subnet FQDN \*.azure.com,\*.windows.com,\*.windows.net,\*.microsoft.com,\*.azure.netAllowNonMicrosoftFQDNsIP address http:80,https:443Managed-Lustre-subnet FQDN \*.archive.ubuntu.com,\*.cvd.clamav.net,\*.trafficmanager.netSelect Add.
Add network rules
Next, add three rules.
LustreSubnetAllowAll: Allows all IP addresses within the Managed Lustre subnet to communicate with each other.AllowLustreDependencies: Allows Managed Lustre to access essential services required for a secure environment, engineering diagnostic support, and storage account integration. For more information about each service, see the table under Create outbound security rules.NTPAccess: Allows access to a Microsoft Network Time Protocol (NTP) server for time synchronization.
To create a network rule collection:
In your firewall policy, under Rules, select Network rules.
Select Add a rule collection.
Enter a name for the network rule collection. For example, use LustreNetworkRules.
For Rule collection type, use Network. Enter a priority value, such as 199.
For Rule collection action, use Allow. For Rule collection group, use DefaultNetworkRuleCollectionGroup.
Under Rules, add three rules:
Name Source type Source Protocol Destination ports Destination Type Destination LustreSubnetAllowAllIP address Managed-Lustre-subnet Any * IP address Managed-Lustre-subnet AllowLustreDependenciesIP address Managed-Lustre-subnet TCP 443 Service Tag ActionGroup,ApiManagement,AzureActiveDirectory,AzureDataLake,AzureKeyVault,AzureMonitor,AzureResourceManager,EventHub,GuestAndHybridManagement,StorageNTPAccessIP address Managed-Lustre-subnet UDP 123 IP address 168.61.215.74/32Select Add.