question

AZLearner-5762 avatar image
0 Votes"
AZLearner-5762 asked GitaraniSharmaMSFT-4262 commented

Outbound rules for Azure platform services

Hi,

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations mentions:

"Virtual IP of the host node: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. Effective security rules and effective routes will not include these platform rules. To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. "

Currently my outbound rules are the 3 default rules. I plan to lock down outbound traffic. Does the last sentence above imply even if I lock down outbound traffic, these Azure platform traffic won't be affected unless I explicitly deny with AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM?

Thank you.

azure-virtual-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @AZLearner-5762 ,


By default the basic infrastructure services communication is not subject to the configured network security groups unless specifically targeted leveraging the AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM service tags. These platform tags are used for specific scenarios and each deny rule has an independent result.


AzurePlatformDNS : The basic infrastructure (default) DNS service. You can use this tag to disable the default DNS.
AzurePlatformIMDS : Azure Instance Metadata Service (IMDS), which is a basic infrastructure service. You can use this tag to disable the default IMDS.
AzurePlatformLKM : Windows licensing or key management service. You can use this tag to disable the defaults for licensing.


NOTE : Be cautious when you use these tags. It is recommended that you perform testing before you use these tags.


So, yes even if you lock down outbound traffic, these Azure platform traffic won't be affected unless you explicitly deny these with respective service tags - AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM.
Please refer : https://azure.microsoft.com/en-us/updates/network-security-group-improvements-now-available/


Hope this helps!


Kindly let us know if the above helps or you need further assistance on this issue.




Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AZLearner-5762 ,

Any update on this post?

If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.

Thanks,
Gita

0 Votes 0 ·

Hello @AZLearner-5762 ,

Any update on this post?

Thanks,
Gita

0 Votes 0 ·

Hello @AZLearner-5762 ,

Any update on this post?

Thanks,
Gita

0 Votes 0 ·