You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/environment/firewall-integration.md
+167-8Lines changed: 167 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ ms.service: app-service
10
10
ms.workload: na
11
11
ms.tgt_pltfrm: na
12
12
ms.topic: article
13
-
ms.date: 07/29/2019
13
+
ms.date: 08/31/2019
14
14
ms.author: ccompy
15
15
ms.custom: seodec18
16
16
@@ -28,13 +28,13 @@ The solution to securing outbound addresses lies in use of a firewall device tha
28
28
29
29
## System architecture
30
30
31
-
Deploying an ASE with outbound traffic going through a firewall device requires changing routes on the ASE subnet. Routes operate at an IP level. If you are not careful in defining your routes, you can force TCP reply traffic to source from another address. This is called asymmetric routing and it will break TCP.
31
+
Deploying an ASE with outbound traffic going through a firewall device requires changing routes on the ASE subnet. Routes operate at an IP level. If you are not careful in defining your routes, you can force TCP reply traffic to source from another address. When your reply address is different from the address traffic was sent to, the problem is called asymmetric routing and it will break TCP.
32
32
33
-
There must be routes defined so that inbound traffic to the ASE can reply back the same way the traffic came in. This is true for inbound management requests and it is true for inbound application requests.
33
+
There must be routes defined so that inbound traffic to the ASE can reply back the same way the traffic came in. Routes must be defined for inbound management requests and for inbound application requests.
34
34
35
35
The traffic to and from an ASE must abide by the following conventions
36
36
37
-
* The traffic to Azure SQL, Storage and Event Hub are not supported with use of a firewall device. This traffic must be sent directly to those services. The way to make that happen is to configure service endpoints for those three services.
37
+
* The traffic to Azure SQL, Storage, and Event Hub are not supported with use of a firewall device. This traffic must be sent directly to those services. The way to make that happen is to configure service endpoints for those three services.
38
38
* Route table rules must be defined that send inbound management traffic back from where it came.
39
39
* Route table rules must be defined that send inbound application traffic back from where it came.
40
40
* All other traffic leaving the ASE can be sent to your firewall device with a route table rule.
@@ -45,7 +45,7 @@ The traffic to and from an ASE must abide by the following conventions
45
45
46
46
The steps to lock down egress from your existing ASE with Azure Firewall are:
47
47
48
-
1. Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet. To do this, go into the networking portal > subnets and select Microsoft.EventHub, Microsoft.SQL and Microsoft.Storage from the Service endpoints dropdown. When you have service endpoints enabled to Azure SQL, any Azure SQL dependencies that your apps have must be configured with service endpoints as well.
48
+
1. Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet. To enable service endpoints, go into the networking portal > subnets and select Microsoft.EventHub, Microsoft.SQL and Microsoft.Storage from the Service endpoints dropdown. When you have service endpoints enabled to Azure SQL, any Azure SQL dependencies that your apps have must be configured with service endpoints as well.
49
49
50
50
![select service endpoints][2]
51
51
@@ -54,7 +54,7 @@ The steps to lock down egress from your existing ASE with Azure Firewall are:
54
54
55
55
![Add application rule][1]
56
56
57
-
1. From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. Provide a name, priority and set Allow. In the Rules section, provide a name, select **Any**, set * to Source and Destination addresses, and set the ports to 123. This rule allows the system to perform clock sync using NTP. Create another rule the same way to port 12000 to help triage any system issues.
57
+
1. From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. Provide a name, priority, and set Allow. In the Rules section, provide a name, select **Any**, set * to Source and Destination addresses, and set the ports to 123. This rule allows the system to perform clock sync using NTP. Create another rule the same way to port 12000 to help triage any system issues.
58
58
59
59
![Add NTP network rule][3]
60
60
@@ -87,7 +87,7 @@ Azure Firewall can send logs to Azure Storage, Event Hub, or Azure Monitor logs.
87
87
88
88
AzureDiagnostics | where msg_s contains "Deny" | where TimeGenerated >= ago(1h)
89
89
90
-
Integrating your Azure Firewall with Azure Monitor logs is very useful when first getting an application working when you are not aware of all of the application dependencies. You can learn more about Azure Monitor logs from [Analyze log data in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/log-query-overview)
90
+
Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. You can learn more about Azure Monitor logs from [Analyze log data in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/log-query-overview).
91
91
92
92
## Dependencies
93
93
@@ -112,7 +112,7 @@ The following information is only required if you wish to configure a firewall a
112
112
| Endpoint | Details |
113
113
|----------| ----- |
114
114
|\*:123 | NTP clock check. Traffic is checked at multiple endpoints on port 123 |
115
-
|\*:12000 | This port is used for some system monitoring. If blocked then some issues will be harder to triage but your ASE will continue to operate |
115
+
|\*:12000 | This port is used for some system monitoring. If blocked, then some issues will be harder to triage but your ASE will continue to operate |
116
116
| 40.77.24.27:80 | Needed to monitor and alert on ASE problems |
117
117
| 40.77.24.27:443 | Needed to monitor and alert on ASE problems |
118
118
| 13.90.249.229:80 | Needed to monitor and alert on ASE problems |
@@ -184,7 +184,26 @@ With an Azure Firewall, you automatically get everything below configured with t
@@ -194,6 +213,7 @@ With an Azure Firewall, you automatically get everything below configured with t
194
213
|\*.management.azure.com:443 |
195
214
|\*.update.microsoft.com:443 |
196
215
|\*.windowsupdate.microsoft.com:443 |
216
+
|\*.identity.azure.net:443 |
197
217
198
218
#### Linux dependencies
199
219
@@ -208,6 +228,145 @@ With an Azure Firewall, you automatically get everything below configured with t
208
228
|download.mono-project.com:80 |
209
229
|packages.treasuredata.com:80|
210
230
|security.ubuntu.com:80 |
231
+
|\*.cdn.mscr.io:443 |
232
+
|mcr.microsoft.com:443 |
233
+
|packages.fluentbit.io:80 |
234
+
|packages.fluentbit.io:443 |
235
+
|apt-mo.trafficmanager.net:80 |
236
+
|apt-mo.trafficmanager.net:443 |
237
+
|azure.archive.ubuntu.com:80 |
238
+
|azure.archive.ubuntu.com:443 |
239
+
|changelogs.ubuntu.com:80 |
240
+
|13.74.252.37:11371 |
241
+
|13.75.127.55:11371 |
242
+
|13.76.190.189:11371 |
243
+
|13.80.10.205:11371 |
244
+
|13.91.48.226:11371 |
245
+
|40.76.35.62:11371 |
246
+
|104.215.95.108:11371 |
247
+
248
+
## US Gov dependencies
249
+
250
+
For US Gov you still need to set service endpoints for Storage, SQL and Event Hub. You can also use Azure Firewall with the instructions earlier in this document. If you need to use your own egress firewall device, the endpoints are listed below.
Copy file name to clipboardExpand all lines: articles/app-service/web-sites-integrate-with-vnet.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -105,7 +105,7 @@ To disconnect your app from the VNet, select **Disconnect**. This will restart y
105
105
106
106
#### Web App for Containers
107
107
108
-
If you use App Service on Linux with the built-in images, the regional VNet Integration feature works without additional changes. If you use Web App for Containers, you need to modify your docker image in order to use VNet Integration. In your docker image, use the PORT environment variable as the main web server’s listening port, instead of using a hardcoded port number. The PORT environment variable is automatically set by App Service platform at the container startup time.
108
+
If you use App Service on Linux with the built-in images, the regional VNet Integration feature works without additional changes. If you use Web App for Containers, you need to modify your docker image in order to use VNet Integration. In your docker image, use the PORT environment variable as the main web server’s listening port, instead of using a hardcoded port number. The PORT environment variable is automatically set by App Service platform at the container startup time. If you are using SSH, then the SSH daemon must be configured to listen on the port number specified by the SSH_PORT environment variable when using regional VNet integration.
Copy file name to clipboardExpand all lines: articles/azure-functions/functions-create-function-linux-custom-image.md
+3-6Lines changed: 3 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -1,16 +1,13 @@
1
1
---
2
2
title: Create Azure Functions on Linux using a custom image
3
3
description: Learn how to create Azure Functions running on a custom Linux image.
4
-
services: functions
5
-
keywords:
6
4
author: ggailey777
7
5
ms.author: glenga
8
6
ms.date: 06/25/2019
9
7
ms.topic: tutorial
10
8
ms.service: azure-functions
11
9
ms.custom: mvc
12
-
ms.devlang: azure-cli
13
-
manager: jeconnoc
10
+
manager: gwallace
14
11
---
15
12
16
13
# Create a function on Linux using a custom image
@@ -51,7 +48,7 @@ You can also use the [Azure Cloud Shell](https://shell.azure.com/bash).
51
48
52
49
## Create the local function app project
53
50
54
-
Run the following command from the command line to create a function app project in the `MyFunctionProj` folder of the current local directory.
51
+
Run the following command from the command line to create a function app project in the `MyFunctionProj` folder of the current local directory. For a Python project, you [must be running in a virtual environment](functions-create-first-function-python.md#create-and-activate-a-virtual-environment-optional).
55
52
56
53
```bash
57
54
func init MyFunctionProj --docker
@@ -63,7 +60,7 @@ When prompted, choose a worker runtime from the following languages:
63
60
64
61
*`dotnet`: creates a .NET Core class library project (.csproj).
65
62
*`node`: creates a JavaScript project.
66
-
*`python`: creates a Python project.
63
+
*`python`: creates a Python project.
67
64
68
65
When the command executes, you see something like the following output:
@@ -241,7 +241,7 @@ This feature was built to access the VM data without the need to restore the ent
241
241
242
242
#### Select Recovery point (who can generate script)
243
243
244
-
The script provides access to VM data, it is important to regulate who can generate it in the first place. One needs to login into Azure portal and should be [RBAC authorized](backup-rbac-rs-vault.md#mapping-backup-built-in-roles-to-backup-management-actions) to be able to generate the script.
244
+
The script provides access to VM data, it is important to regulate who can generate it in the first place. One needs to log in into Azure portal and should be [RBAC authorized](backup-rbac-rs-vault.md#mapping-backup-built-in-roles-to-backup-management-actions) to be able to generate the script.
245
245
246
246
File recovery needs the same level of authorization as required for VM restore and disks restore. In other words, only authorized users can view the VM data can generate the script.
0 commit comments