In order to keep the allowed connection attempts to the limited range of valid Exchange Online servers, some configuration changes will need to be made to the Kubernetes Network Security Group.
Prerequisites
|
Retrieve list of Exchange Online IPv4 and IPv6 ranges
- Go to Office 365 URLs and IP address ranges
- Scroll down to ID 10 under the Exchange Online heading.
- Copy the list of the IPv4 addresses here and paste into a separate document for use in the section below. Ex 40.92.0.0-15, etc.
- Copy the list of the IPv6 addresses here and paste into the separate document on a newline for use in the section below. Ex. 2a01:111:f400::/48, etc.
Add IP filtering to the Network Security Group
- Navigate to http://portal.azure.com.
- Select the Resource group for your Kubernetes installation, the format for this is:
MC_<Resource group name>_<cluster name>_<location>
. - Select the Network security group resource.
- Under Settings, select Inbound security rules.
- Click Add to create a rule that allows all inbound traffic from Exchange Online for the specified IPv4 addresses obtained above.
- Configure as shown below. For <IP list for IPv4> use the copy/pasted IPv4 addresses you saved from the steps above.
Name Value Source IP Addresses Source IP addresses/CIDR ranges <IP list for IPv4> Source port ranges * Destination Any Service Custom Destination port ranges 25 Protocol TCP Action Allow Priority 400 Name AllowOnlyExchangeOnlineIpv4 Description Allow only inbound connections from the official Exchange Online IP Range. - Click Add.
- Repeat steps 5-7 for the specified IPv6 type IP addresses.
Name Value Source IP Addresses Source IP addresses/CIDR ranges <IP list for IPv6> Source port ranges * Destination Any Service Custom Destination port ranges 25 Protocol TCP Action Allow Priority 401 Name AllowOnlyExchangeOnlineIpv6 Description Allow only inbound connections from the official Exchange Online IP Range. -
Repeat steps 5-7 to create a rule denying all other addresses to port 25.
Name Value Source Any Source port ranges * Destination Any Service Custom Destination port ranges 25 Protocol Any Action Deny Priority 402 Name DenyPort25FromAnyIP Description Denies traffic from all public IP addresses on port 25, if not explicitly allowed in a previous rule.
Comments
Article is closed for comments.