{"id":2148,"date":"2020-12-19T17:39:35","date_gmt":"2020-12-19T17:39:35","guid":{"rendered":"https:\/\/modern-workplace.uk\/?p=2148"},"modified":"2020-12-30T21:32:11","modified_gmt":"2020-12-30T21:32:11","slug":"teams-virtual-sbc-closing-azure-network-ports-warnings-for-azureloadbalancer-and-virtualnetwork","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=2148","title":{"rendered":"Teams – Azure Virtual SBC – Azure Load Balancer and Virtual Network Warnings"},"content":{"rendered":"\n

When deploying a virtual SBC as a Virtual Machine (VM) in Azure it is advisable to close the network ports that are not strictly required (especially inbound ones) to reduce the attack surface<\/p>\n\n\n\n

The scenario I usually see involves AudioCodes VE<\/strong> but the logic is potentially the same for every SBC you plan to deploy in Azure<\/p>\n\n\n\n

Just for an example, makes sense to close port 80 – HTTP inbound (unless you plan to expose unencrypted admin access to the Internet)<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

However, as soon as you disable port TCP 80, you have two different warnings<\/p>\n\n\n\n

Warning #1 \u2013 This rule denies traffic from AzureLoadBalancer and may affect virtual machine connectivity. To allow access, add an inbound rule with higher priority to allow AzureLoadBalancer to VirtualNetwork.\nWarning #2 \u2013 This rule denies virtual network access. If you wish to allow access to your virtual network, add an inbound rule with higher priority to Allow VirtualNetwork to VirtualNetwork.\n<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Looking at the rules, you can see that there are two default rules (with the lowest priority available) dedicated to permit Virtual Network traffic and Azure Load Balancer traffic<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
So, the question that I tried to answer was: does it make sense to create rules with a higher priority just to replicate what the default ones do (and remove the warnings)?<\/p>\n\n\n\n
Virtual Network Access<\/strong><\/p>\n\n\n\n
Let’s start with VNet traffic: as for the Microsoft documentation https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/virtual-networks-faq<\/a> they are used to create virtual networks in the Cloud (or to extend your datacentre network). They are also used for peering VMs https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/virtual-network-peering-overview<\/a><\/p>\n\n\n\n
If you are deploying virtual SBCs that do not require direct communication with other VMs, you can safely ignore the warning<\/strong><\/p>\n\n\n\n
Azure Load Balancer<\/strong><\/p>\n\n\n\n
Azure Load Balancer operates at layer four of the Open Systems Interconnection (OSI) model and distributes inbound flows to backend pool instances ( https:\/\/docs.microsoft.com\/en-us\/azure\/load-balancer\/load-balancer-overview<\/a> )<\/p>\n\n\n\n
Talking about a virtual SBC, also this rule does not look like a required one (in a common scenario) and you can safely ignore the warning<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
When deploying a virtual SBC as a Virtual Machine (VM) in Azure it is advisable to close the network ports that are not strictly required (especially inbound ones) to reduce the attack surface The scenario I usually see involves AudioCodes VE but the logic is potentially the same for every SBC you plan to deploy […]<\/p>\n","protected":false},"author":1,"featured_media":2154,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[758,753,752,757],"tags":[761,762,759,751,77,764,755],"class_list":["post-2148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-758","category-microsoft365","category-microsoft-teams","category-office-365","tag-audiocodes","tag-microsoftteams","tag-microsoft-365","tag-microsoft-teams","tag-office-365","tag-sbc","tag-teams"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/2148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2148"}],"version-history":[{"count":14,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/2148\/revisions"}],"predecessor-version":[{"id":2171,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/2148\/revisions\/2171"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/2154"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}