зеркало из https://github.com/Azure/ALZ-Bicep.git
Adding deny all rule to Azure Bastion nsg (#455)
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
This commit is contained in:
Siddhant Lahoti
GitHub
Родитель
73cf5c09fc
Коммит
d92a397c89
|
|
@ -36,6 +36,7 @@ parVpnGatewayConfig | No | Configuration for VPN virtual network gateway t
|
|||
parExpressRouteGatewayConfig | No | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { "value": {} }
|
||||
parTags | No | Tags you would like to be applied to all resources in this module.
|
||||
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry.
|
||||
parBastionOutboundSshRdpPorts | No | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
|
||||
|
||||
### parLocation
|
||||
|
||||
|
|
@ -283,6 +284,14 @@ Set Parameter to true to Opt-out of deployment telemetry.
|
|||
|
||||
- Default value: `False`
|
||||
|
||||
### parBastionOutboundSshRdpPorts
|
||||
|
||||
|
||||
|
||||
Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
|
||||
|
||||
- Default value: `22 3389`
|
||||
|
||||
## Outputs
|
||||
|
||||
Name | Type | Description
|
||||
|
|
@ -509,6 +518,12 @@ outHubVirtualNetworkId | string |
|
|||
},
|
||||
"parTelemetryOptOut": {
|
||||
"value": false
|
||||
},
|
||||
"parBastionOutboundSshRdpPorts": {
|
||||
"value": [
|
||||
"22",
|
||||
"3389"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -235,6 +235,9 @@ param parTags object = {}
|
|||
@sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
|
||||
param parTelemetryOptOut bool = false
|
||||
|
||||
@sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.')
|
||||
param parBastionOutboundSshRdpPorts array = ['22','3389']
|
||||
|
||||
var varSubnetProperties = [for subnet in parSubnets: {
|
||||
name: subnet.name
|
||||
properties: {
|
||||
|
|
@ -373,6 +376,19 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
|
|||
]
|
||||
}
|
||||
}
|
||||
{
|
||||
name: 'DenyAllInbound'
|
||||
properties: {
|
||||
access: 'Deny'
|
||||
direction: 'Inbound'
|
||||
priority: 4096
|
||||
sourceAddressPrefix: '*'
|
||||
destinationAddressPrefix: '*'
|
||||
protocol: '*'
|
||||
sourcePortRange: '*'
|
||||
destinationPortRange: '*'
|
||||
}
|
||||
}
|
||||
// Outbound Rules
|
||||
{
|
||||
name: 'AllowSshRDPOutbound'
|
||||
|
|
@ -384,10 +400,7 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
|
|||
destinationAddressPrefix: 'VirtualNetwork'
|
||||
protocol: '*'
|
||||
sourcePortRange: '*'
|
||||
destinationPortRanges: [
|
||||
'22'
|
||||
'3389'
|
||||
]
|
||||
destinationPortRanges: parBastionOutboundSshRdpPorts
|
||||
}
|
||||
}
|
||||
{
|
||||
|
|
@ -432,6 +445,19 @@ resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
|
|||
destinationPortRange: '80'
|
||||
}
|
||||
}
|
||||
{
|
||||
name: 'DenyAllOutbound'
|
||||
properties: {
|
||||
access: 'Deny'
|
||||
direction: 'Outbound'
|
||||
priority: 4096
|
||||
sourceAddressPrefix: '*'
|
||||
destinationAddressPrefix: '*'
|
||||
protocol: '*'
|
||||
sourcePortRange: '*'
|
||||
destinationPortRange: '*'
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -205,6 +205,9 @@
|
|||
},
|
||||
"parTelemetryOptOut": {
|
||||
"value": false
|
||||
},
|
||||
"parBastionOutboundSshRdpPorts": {
|
||||
"value": ["22","3389"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -167,6 +167,9 @@
|
|||
},
|
||||
"parTelemetryOptOut": {
|
||||
"value": false
|
||||
},
|
||||
"parBastionOutboundSshRdpPorts": {
|
||||
"value": ["22","3389"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче