Create network infrastructure in Azure with blocked outbound traffic

Author: ppiwowa-csco

roles/azure_controllers/defaults/main.yml

@@ -47,6 +47,7 @@ az_subnets: |
 
 # Security group
 az_network_security_group: "{{ az_resources_prefix }}-nsg"
+az_nsg_block_edgess: false
 
 
 # VPN subnets from which we can connect to Azure EIPs (Network Security Group config)

roles/azure_controllers/tasks/azure_vbond_vm.yml

@@ -36,15 +36,7 @@
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
-    rules:
-      - name: "{{ public_ip_state.state.name }}"
-        protocol: "*"
-        destination_port_range: "*"
-        source_port_range: "*"
-        source_address_prefix: "{{ public_ip_state.state.ip_address }}"
-        access: Allow
-        priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
-        direction: Inbound
+    rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}"
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"
@@ -55,6 +47,25 @@
     index_var: my_idx
     label: public_ip_state.state.name
   when: public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list
+  vars:
+    inbound_rule:
+      name: "{{ public_ip_state.state.name }}"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      source_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Inbound
+    outbound_rule:
+      name: "{{ public_ip_state.state.name }}-out"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      destination_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Outbound
 
 - name: "Create virtual network interface cards"
   azure.azcollection.azure_rm_networkinterface:

roles/azure_controllers/tasks/azure_vmanage_vm.yml

@@ -38,15 +38,7 @@
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
-    rules:
-      - name: "{{ public_ip_state.state.name }}"
-        protocol: "*"
-        destination_port_range: "*"
-        source_port_range: "*"
-        source_address_prefix: "{{ public_ip_state.state.ip_address }}"
-        access: Allow
-        priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
-        direction: Inbound
+    rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}"
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"
@@ -59,6 +51,25 @@
   when:
     - public_ip_state.state is defined
     - public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list
+  vars:
+    inbound_rule:
+      name: "{{ public_ip_state.state.name }}"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      source_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Inbound
+    outbound_rule:
+      name: "{{ public_ip_state.state.name }}-out"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      destination_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Outbound
 
 - name: "Create virtual network interface cards for public interfaces"
   azure.azcollection.azure_rm_networkinterface:
@@ -120,22 +131,33 @@
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
-    rules:
-      - name: "{{ cluster_vmanage_nic.state.name }}"
-        protocol: "*"
-        destination_port_range: "*"
-        source_port_range: "*"
-        source_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}"
-        access: Allow
-        priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}"
-        direction: Inbound
+    rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}"
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"
       Organization: "{{ organization_name }}"
   when:
     - cluster_subnet is defined
     - cluster_subnet != ""
+  vars:
+    inbound_rule:
+      name: "{{ cluster_vmanage_nic.state.name }}"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      source_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}"
+      access: Allow
+      priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}"
+      direction: Inbound
+    outbound_rule:
+      name: "{{ cluster_vmanage_nic.state.name }}-out"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      destination_address_prefix: "{{ cluster_vmanage_nic.state.ip_configuration.private_ip_address }}"
+      access: Allow
+      priority: "{{ 2500 + ((az_res_gr.securitygroups | first).rules | length) + 1 }}"
+      direction: Outbound
 
 - name: Set az_network_interfaces_vmanage fact with a list of interfaces for vmanage
   ansible.builtin.set_fact:

roles/azure_controllers/tasks/azure_vsmart_vm.yml

@@ -36,15 +36,7 @@
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
-    rules:
-      - name: "{{ public_ip_state.state.name }}"
-        protocol: "*"
-        destination_port_range: "*"
-        source_port_range: "*"
-        source_address_prefix: "{{ public_ip_state.state.ip_address }}"
-        access: Allow
-        priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
-        direction: Inbound
+    rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_edgess else [inbound_rule] }}"
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"
@@ -55,6 +47,25 @@
     index_var: my_idx
     label: public_ip_state.state.name
   when: public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list
+  vars:
+    inbound_rule:
+      name: "{{ public_ip_state.state.name }}"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      source_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Inbound
+    outbound_rule:
+      name: "{{ public_ip_state.state.name }}-out"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      destination_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 2000 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Outbound
 
 - name: "Create virtual network interface cards"
   azure.azcollection.azure_rm_networkinterface:

roles/azure_network_infrastructure/tasks/azure_network_infrastructure.yml

@@ -80,14 +80,46 @@
       Creator: "{{ az_tag_creator }}"
       Organization: "{{ organization_name }}"
 
-- name: "Create Network Security Group: {{ az_network_security_group }}"
+- name: "Block Outbound traffic: {{ az_network_security_group }}"
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
     rules:
       - name: DenyAll
         access: Deny
         direction: Outbound
+        priority: 4000
+      - name: ExternalTCP-out
+        protocol: Tcp
+        destination_port_range:
+          - 22
+          - 443
+          - 830  # NETCONF over SSH
+          - 8443
+        source_address_prefix: "{{ az_allowed_subnets }}"
+        access: Allow
+        priority: 1001
+        direction: Outbound
+      - name: InternalTCP-out
+        protocol: Tcp
+        destination_port_range: 23456-24156
+        source_address_prefix: "{{ az_allowed_subnets }}"
+        access: Allow
+        priority: 1002
+        direction: Outbound
+      - name: InternalUDP-out
+        protocol: Udp
+        destination_port_range: 12346-13046
+        source_address_prefix: "{{ az_allowed_subnets }}"
+        access: Allow
+        priority: 1003
+        direction: Outbound
+      - name: ICMP-out
+        protocol: Icmp
+        source_address_prefix: "{{ az_allowed_subnets }}"
+        access: Allow
+        priority: 1004
+        direction: Outbound
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"