question

SunShine-2583 avatar image
0 Votes"
SunShine-2583 asked SunShine-2583 commented

PaaS Service egress\outbound

Hello:

If I bring my PaaS service in Private Endpoints, the ingress\inbound will work but egress\outbound will work on PaaS public IP address. I don't want PaaS Service talk on PaaS public IP address, I want to force in some kind of Private endpoint\private link.

I am looking for best secure options or any link that will help me.

I have gone thru MS documentations but nothing on Secure egress\outbound when your PaaS service is on Private Endpoint.

Any help or pointer is greatly appreciated.

Thanking in advance.

azure-virtual-networkazure-private-linkazure-ad-privileged-identity-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AlanKinane avatar image
0 Votes"
AlanKinane answered SunShine-2583 commented

image.png (23.0 KiB)
· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Alan:

Thanks for your reply.

What I understood that I have to use PaaS public IP for outbound to connect to another PaaS service.

This is what I am trying to achieve:-
1. No outbound access to Internet.
2. I don't think so it is possible but still want to know if I can use Private IP to connect for outbound and disable or block PaaS public IP.
3. All PaaS configured on Private IP can connect & talk to each other on Private IP and not Public IP.

Please let me know which of the above points are possible?

Thank you again for your help.



0 Votes 0 ·

I'm not sure that I can give you a complete answer without seeing your full solution but you can use service endpoints and private endpoints for most PaaS services these days to avoid the requirement for public IP addresses.

The article gives a good overview:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure-paas-services

0 Votes 0 ·

Hello Alan:

Thanks for your reply & the link. I have couple of questions form the the link that you provided. (https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure-paas-services)

Q1 - Enterprises often have concerns about public endpoints for PaaS services that must be appropriately mitigated.
It doesn't elaborates how to mitigate ???

Q2 - We don't recommend that you implement forced tunneling to enable communication from Azure to Azure resources.
Good to know but WHY ????

So still Its not clear to me that there is no way PaaS can communicate outbound on Private IPs and without Public IP, PaaS cannot talk to other PaaS Services who are configured using Private Endpoints.

0 Votes 0 ·

Hello Alan:

I am seeing some conflicting statements as per MS documentations.

If you read from this link --- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services

I can communicate over Private IP address to PaaS Services and send data across and no Public IP address is required.

  1. Resources within the virtual network can communicate with each other privately, through private IP addresses. Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.

  2. Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.

This is confusing lot based on earlier discussions\replies.

0 Votes 0 ·
Show more comments