Why we need Outbound security rule to connect Internet in Integration Service Environment

Madala, Hanumantharao 76 Reputation points
2021-10-05T12:07:24.437+00:00

Hi Team,

As per our organization guidelines, we want to block outbound internet in ISE.
We have followed the below MS document to configure the inbound/outbound security rules..
Connect to Azure virtual networks from Azure Logic Apps using an integration service environment (ISE):
https://learn.microsoft.com/en-us/azure/logic-apps/connect-virtual-network-vnet-isolated-environment#network-ports-for-ise

When we block the Outbound Internet firewall rule in NSG, our ISE network health is failed and also our logic apps stopped working (file transfers from one VM to another VM using logic apps)

Note: Here I have shared the NSG inbound, outbound security rules, ISE network health and Vnet subnets for ISE.

Please advise how to mitigate or resolve this problem in ISE environment on urgent basis. Thank you137781-ise-nsg-inboundsecurityrules.png137753-ise-nsg-outboundsecurityrules.png137746-ise-network-health.png137737-ise-subnets.png.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,987 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 69,991 Reputation points
    2021-10-11T04:35:02.367+00:00

    @Madala, Hanumantharao Inbound/Outbound rules are required for the health services to communicate correctly as mentioned in this document.
    If you are not allowing inbound destination 454 port or outbound destination port 1886 then the azure monitoring services will not able to communicate correctly and you will see unhealthy status as you have observed.

    I think you can use forced tunneling as an alternative. Basically use 0.0.0.0/0 UDR to direct outbound traffic to your firewall and then set the firewall to allow these certificate check URLs along with other necessary rules.

    0 comments No comments