Firewall rules for the outbound internet access
If you want to restrict outbound access, configure the required firewall rules
읽는 시간 1분최근 업데이트: 4일 전
If you want to restrict outbound access, implement these firewall rules:
- Generic outbound configuration for the Azure Kubernetes Service (AKS) cluster, to lock down the traffic that leaves the AKS subnet. Refer to the required outbound network rules and fully qualified domain names (FQDNs) in the Microsoft documentation.
-
Access from the AKS cluster to the Azure Container Registry (ACR) that contains the container images of Virtual Private Cloud:
- Login server:
https://uccmpprivatecloud.azurecr.io - Data plane:
- If dedicated data endpoints aren't enabled:
https://*.blob.core.windows.net
- If dedicated data endpoints are enabled:
https://uccmpprivatecloud.eastus.data.azurecr.iohttps://uccmpprivatecloud.northeurope.data.azurecr.io
- If dedicated data endpoints aren't enabled:
- Login server:
-
Access from the AKS cluster, for AKS extension agents such as GitOps:
https://*.dp.kubernetesconfiguration.azure.com
-
Access from the AKS cluster to the enterprise identity provider, which Keycloak connects to in order to retrieve user tokens via a backchannel. Specific FQDNs depend on the IdP vendor, for example, it is for Microsoft Entra ID.
https://login.microsoftonline.com -
Access from the PostgreSQL servers to Entra ID, for traffic that leaves the PostgreSQL subnet. Refer to the description of private access networking for Azure Database for PostgreSQL flexible server in the Microsoft documentation.
- All traffic to the service tag.
AzureActiveDirectory
- All traffic to the