Why we need Outbound security rule to connect Internet in Integration Service Environment

Question

Hi Team,

As per our organization guidelines, we want to block outbound internet in ISE.
We have followed the below MS document to configure the inbound/outbound security rules..
Connect to Azure virtual networks from Azure Logic Apps using an integration service environment (ISE):
https://learn.microsoft.com/en-us/azure/logic-apps/connect-virtual-network-vnet-isolated-environment#network-ports-for-ise

When we block the Outbound Internet firewall rule in NSG, our ISE network health is failed and also our logic apps stopped working (file transfers from one VM to another VM using logic apps)

Note: Here I have shared the NSG inbound, outbound security rules, ISE network health and Vnet subnets for ISE.

Please advise how to mitigate or resolve this problem in ISE environment on urgent basis. Thank you.

Answer 1

@Madala, Hanumantharao Inbound/Outbound rules are required for the health services to communicate correctly as mentioned in this document.
If you are not allowing inbound destination 454 port or outbound destination port 1886 then the azure monitoring services will not able to communicate correctly and you will see unhealthy status as you have observed.

I think you can use forced tunneling as an alternative. Basically use 0.0.0.0/0 UDR to direct outbound traffic to your firewall and then set the firewall to allow these certificate check URLs along with other necessary rules.