Articles in this section

Add IP filtering to Network Security Group

About this article

In order to keep the allowed connection attempts to the limited range of valid Exchange Online servers, some configuration changes will need to be made to the Kubernetes Network Security Group.

First, you will need to retrieve the list of legitimate Exchange Online IPv4 and IPv6 ranges.

Next, you will need to add these as a rules to the Network Security Group for the Kubernetes cluster.

 

Retrieve list of Exchange Online IPv4 and IPv6 ranges

  1. Go to Office 365 URLs and IP address ranges
  2. Scroll down to ID 10 under the Exchange Online heading
  3. Copy the list of the IPv4 addresses here and paste into a separate document for use in the section below. Ex 40.92.0.0-15, etc.
  4. Copy the list of the IPv6 addresses here and paste into the separate document on a newline for use in the section below. Ex. 2a01:111:f400::/48, etc.

 

Add IP filtering to the Network Security Group

Create the rule allowing for the IPv4 address ranges

  1. Go to http://portal.azure.com and log in with a user that has Contributor rights on the Kubernetes resources
  2. Select the Resource group for your Kubernetes installation, the format for this is: MC_<Resource group name>_<cluster name>_<location>
  3. Select the resource with Type: Network security group, there should be only one. The name of it is auto-generated.
  4. Select Inbound security rules on the left-hand side
  5. Click +Add, at the top of this list of rules, to create a rule that allows all inbound traffic from Exchange Online for the specified IPv4 type IP addresses.
  6. Configure as shown below. For <IP list for IPv4> use the copy/pasted IPv4 addresses you saved from the steps earlier.

    Name  Value
    Source IP Addresses
    Source IP addresses/CIDR ranges <IP list for IPv4>
    Source port ranges *
    Destination Any
    Destination port ranges 25
    Protocol TCP
    Action Allow
    Priority 400 (It should have a priority lower than AllowVnetInBound rule)
    Name AllowOnlyExchangeOnlineIpv4
    Description Allow only inbound connections from the official Exchange Online IP Range, as documented here https://bit.ly/2VkiEFy 


  7. Click the [Add] button at the bottom. The rule will be created in a few minutes and will appear in the list of Inbound security rule

 

Create the rule allowing the IPv6 address ranges

  1. Click +Add at the top of the list of rules to create a rule that allows all inbound traffic from Exchange Online for the specified IPv6 type IP addresses.
  2. Configure as shown below. For <IP list for IPv6> use the copy/pasted IPv6 addresses you saved from the steps earlier.

    Name  Value
    Source IP Addresses
    Source IP addresses/CIDR ranges <IP list for IPv6>
    Source port ranges *
    Destination Any
    Destination port ranges 25
    Protocol TCP
    Action Allow
    Priority 401 (It should have a priority lower than AllowVnetInBound rule and higher than AllowOnlyExchangeOnlineIpv4)
    Name AllowOnlyExchangeOnlineIpv6
    Description Allow only inbound connections from the official Exchange Online IP Range, as documented here https://bit.ly/2VkiEFy 


  3. Click the [Add] button at the bottom. The rule will be created in a few minutes and will appear in the list of Inbound security rule

Create the rule denying all other addresses to port 25

  1. Click +Add at the top of the list of rules to create a rule that denies traffic from all public IP addresses for port 25
  2. Configure as shown below

    Name  Value
    Source Any
    Source port ranges *
    Destination Any
    Destination port ranges 25
    Protocol Any
    Action Deny
    Priority 402 (It should have a priority lower than AllowVnetInBound rule and higher than AllowOnlyExchangeOnlineIpv6)
    Name DenyPort25FromAnyIP
    Description Denies traffic from all public IP addresses on port 25, if not explicitly allowed in a previous rule.


  3. Click the [Add] button at the bottom. The rule will be created in a few minutes and will appear in the list of Inbound security rule

 

Overall the new rules should look similar to the following

NetworkSecurityGroupRules.png

 

 

email signatures tech_role
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.