search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.31k stars 21.49k forks source link

Does this still apply when using virtual network service endpoint security / firewall #27426

Open rohancragg opened 5 years ago

rohancragg commented 5 years ago

Does this advice still apply to ADLS accounts configured with virtual network service endpoint security? (i.e. accounts that accept traffic only from specific virtual networks and subnets).

see: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-network-security?toc=%2fazure%2fvirtual-network%2ftoc.json#configuration

If so, which subnet(s) should the above NSG and UDRs be associated with - presumably with the subnet containing a Virtual Machine which needs to connect to the ADLS account?

This article needs to be more explicit about when the advice applies and how to configure it. An example configuration would help to illustrate.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

shashishailaj commented 5 years ago

@rohancragg Thank you for your feedback . We will investigate and update this thread.

TravisCragg-MSFT commented 5 years ago

@rohancragg Thanks for the feedback! Yes, this does still apply when you have VNET Service Endpoints enabled.

Your VMs will be able to access the ADLS without issue, unless you have taken extra steps to deny those VMs internet access. If you have denied your VMs internet access using the NSG, this article goes through the steps to make sure your VMs can still access your ADLS.

You are correct, only subnets which contain VMs that need access will require the UDRs and NSG rules. Keep in mind that NSGs can be placed on both the NIC of the VM and the Subnet, so make sure it is allowed on both (if the NSGs are present). Please let me know if you need any additional clarification.

I have assigned the issue to the content author to evaluate and update as appropriate.

esung22 commented 5 years ago

Hi Travis – I’m not on the ADLS team anymore. Stephen, do you know who these changes should be assigned to?

From: TravisCragg-MSFT notifications@github.com Sent: Monday, March 18, 2019 1:57 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Ellick Sung elsung@microsoft.com; Assign assign@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Does this still apply when using virtual network service endpoint security / firewall (#27426)