Azure Networking Requirements - Network Security Groups (NSGs)

Everpure Cloud Dedicated for Azure

Audience
Public
Source Type
Documentation

Network Security Groups in Everpure Cloud Dedicated

The network security groups are automatically created during the deployment and applied to the individual Everpure Cloud Dedicated network interfaces.

By default, there is no action needed by the user except to ensure outgoing internet access from the Everpure Cloud Dedicated System interface has been allowed; see the Internet access section in Azure Networking Requirements.

For users that wish to configure custom firewall rules or NSGs, below are the TCP ports numbers used for the different Everpure Cloud Dedicated interfaces

Note: Please note that an array can use iSCSI or NVMe-TCP but not both. Please see the NVMe-TCP section in the Management section of this guide for more information.
Subnet/Network interface Inbound Outbound
System  

443

25, 587 (optional for outgoing SMTP communication)

Replication 8117 - used by ActiveCluster, ActiveDR or async replication

8117

443 (if using CloudSnap)

iSCSI 3260 - used by iSCSI protocol  
NVMe-TCP 4420, 8009 - used by NVMe-TCP  
Mgmt
  • 22 - for management via SSH
  • 80 - redirect to HTTPS
  • 443 - for management via GUI
  • 8084 - used by Azure VMware Solution use-case
443
Service Endpoint Subnet Inbound Outbound
Azure LoadBalancer Management All ports from source Service Tag: AzureLoadBalancer  
Azure KeyVault System   Port 443 to destination Service Tag: AzureKeyVault
Azure Storage System   Port 443 to destination Service Tag: Storage
Azure CosmosDB (for version 6.8.1 and below) System   Port 443 to destination Service Tag: AzureCosmosDB

How to Configure a Network Security Group rule

This example shows how to configure Outbound security rules. To configure Inbound security rules follow the same steps but select Inbound security rules under Settings.

To begin, open up the Network Security Group (NSG) in the Resource Group that Everpure Cloud Dedicated will be deployed in that has been created to control network traffic. Select Outbound security rules under Settings.

Click on the + Add button at the top.

Below the next screenshot shows details for each of the fields that need to be filled in for the Outbound security rule. Note that this process needs to be done a total of 3 times to create an outbound rule for each of the 3 Azure services required.

  1. Source: Set this to IP Addresses.
  2. Source IP Addresses/CIDR Range: Enter the subnet CIDR that you will use for the Everpure Cloud Dedicated System interface. Instructions on how to create this are shown earlier in this page.
  3. Destination: Select Service Tag from the drop down menu.
  4. Destination Service Tag: In this example we select the AzureCosmosDB tag. Note that this tag, the AzureResourceManager and AzureKeyVault tags each need to be defined in a unique outbound security rule.
  5. Service: Pick https from the drop-down menu.
  6. Action: Ensure this is set to Allow.
  7. Priority: Pick a unique value. Your existing NSG security rules will help dicate the priority selection made.
  8. Name: Provide a unique Outbound Rule name and optionally provide a description below.
  9. Click on the Add button to create the rule.

    The above process must be repeated 2 more times to create a total of 3 Outbound security rules. For the 2 additional rules, step 4 needs to include the AzureResourceManager and AzureKeyVault tags while fields 7 and 8 need to be unique values.

    After the 3 outbound security rules have been created, review them to make certain they are correct.

    Next, we need to associate the system subnet with the network security group if it hasn't previously been added.

    To do so, click on the Subnets button on the NSG.

    Next, click on the Associate button.

    Select the VNet you will deploy Everpure Cloud Dedicated into and then the system subnet.

    Confirm that the subnet has been successfully associated.