Articles in this section

Add IP filtering to Network Security Group

In order to keep the allowed connection attempts to the limited range of valid Exchange Online servers, some configuration changes will need to be made to the Kubernetes Network Security Group.

  Prerequisites

  • Client-Hosted Email Signature Server.
  • Contributor Rights on Kubernetes resources.

Retrieve list of Exchange Online IPv4 and IPv6 ranges

  1. Go to Office 365 URLs and IP address ranges
  2. Scroll down to ID 10 under the Exchange Online heading.
  3. Copy the list of the IPv4 addresses here and paste into a separate document for use in the section below. Ex 40.92.0.0-15, etc.
  4. Copy the list of the IPv6 addresses here and paste into the separate document on a newline for use in the section below. Ex. 2a01:111:f400::/48, etc.

Add IP filtering to the Network Security Group

  1. Navigate to http://portal.azure.com.
  2. Select the Resource group for your Kubernetes installation, the format for this is: MC_<Resource group name>_<cluster name>_<location>.
  3. Select the Network security group resource.
  4. Under Settings, select Inbound security rules.
  5. Click Add to create a rule that allows all inbound traffic from Exchange Online for the specified IPv4 addresses obtained above.
  6. Configure as shown below. For <IP list for IPv4> use the copy/pasted IPv4 addresses you saved from the steps above.
    Name Value
    Source IP Addresses
    Source IP addresses/CIDR ranges <IP list for IPv4>
    Source port ranges *
    Destination Any
    Service Custom
    Destination port ranges 25
    Protocol TCP
    Action Allow
    Priority 400
    Name AllowOnlyExchangeOnlineIpv4
    Description Allow only inbound connections from the official Exchange Online IP Range.
  7. Click Add.
  8. Repeat steps 5-7 for the specified IPv6 type IP addresses.
    Name Value
    Source IP Addresses
    Source IP addresses/CIDR ranges <IP list for IPv6>
    Source port ranges *
    Destination Any
    Service Custom
    Destination port ranges 25
    Protocol TCP
    Action Allow
    Priority 401
    Name AllowOnlyExchangeOnlineIpv6
    Description Allow only inbound connections from the official Exchange Online IP Range.
  9. Repeat steps 5-7 to create a rule denying all other addresses to port 25.
    Name Value
    Source Any
    Source port ranges *
    Destination Any
    Service Custom
    Destination port ranges 25
    Protocol Any
    Action Deny
    Priority 402
    Name DenyPort25FromAnyIP
    Description Denies traffic from all public IP addresses on port 25, if not explicitly allowed in a previous rule.
email signatures tech_role
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.