Best practice for allowing SMTP to an Exchange VM in Azure

mij2020 366 Reputation points
2020-08-25T08:20:11.893+00:00

Hi,
I need to allow incoming public SMTP and HTTPS traffic into one Exchange server in Azure.
What is best practice for this situation?
I could add a public IP address to the nic and allow smtp from specified IP ranges in an NSG. But I believe this is not best practice to allow public IP on a VM nic.
Creating an Azure Application Firewall is not supported for email protocol.
Is it possible using external load balancer?
What are my other options?

Thank you

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,164 questions
Azure Web Application Firewall
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,357 questions
Accepted answer
  1. KyleXu-MSFT 26,211 Reputation points
    2020-08-26T02:36:10.393+00:00

    The installation and manager Exchange in Azure VM is the same as the installation and manager in hyper-v hosted on the local computer.
    About the load balancer, it is mainly used to balance the load of network connections, not connection filtering.

    If you want to filter and only accept the connection from Exchange online, you can just set some network inbound filter rules on your Exchange VM computer's firewall.

    For VM which hosted on Azure, you could also configure the network filter from VM networking configuration in Azure portal:
    20246-snipaste-2020-08-26-10-28-00.png

    Here is a list for URLs and IP address ranges used for Exchange online, it may also be useful to you.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Didier3001 971 Reputation points Microsoft Employee
    2020-08-25T09:35:52.977+00:00

    Hi @mij2020

    The only supported way to send email to external domains from Azure compute resources is through an SMTP relay (otherwise known as an SMTP smart host). The Azure compute resource sends the email message to the SMTP relay, and then the SMTP relay provider delivers the message to the external domain. Microsoft Exchange Online Protection is one provider of a SMTP relay, but a number of third-party providers also offer this service.

    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/server-software-support#microsoft-exchange

    --I hope this helps. Please Accept it as an answer and "Up-Vote" the answer or message(s) that helped you so that it can help others in the community looking for help on similar topics

    Regards,
    Didier3001

  2. Jayadeava Balaraja 1 Reputation point
    2022-02-16T06:53:14.707+00:00

    Hello All,

    I have same issue. I achieved the incoming traffic on port 443 using App gateway behind the firewall.
    However when it comes for inbound request on port 25 for exchange servers, I tried to DNAT port 25 on Azure firewall pointing to my Internal loadbalancer landing the TCP on port 25 to backend pool of exchange boxes.

    This setup is not working.. Am I missing something else ?

    Appreciate your help in advance.

    Thanks & Regards,
    JD

    0 comments