About this article
In order to keep the allowed connection attempts to the limited range of valid Exchange Online servers, some configuration changes will need to be made to the Kubernetes Network Security Group.
First, you will need to retrieve the list of legitimate Exchange Online IPv4 and IPv6 ranges.
Next, you will need to add these as a rules to the Network Security Group for the Kubernetes cluster.
Retrieve list of Exchange Online IPv4 and IPv6 ranges
- Go to Office 365 URLs and IP address ranges
- Scroll down to ID 10 under the Exchange Online heading
- Copy the list of the IPv4 addresses here and paste into a separate document for use in the section below. Ex 40.92.0.0-15, etc.
- Copy the list of the IPv6 addresses here and paste into the separate document on a newline for use in the section below. Ex. 2a01:111:f400::/48, etc.
Add IP filtering to the Network Security Group
Create the rule allowing for the IPv4 address ranges
- Go to http://portal.azure.com and log in with a user that has Contributor rights on the Kubernetes resources
- Select the Resource group for your Kubernetes installation, the format for this is: MC_<Resource group name>_<cluster name>_<location>
- Select the resource with Type: Network security group, there should be only one. The name of it is auto-generated.
- Select Inbound security rules on the left-hand side
- Click
+Add
, at the top of this list of rules, to create a rule that allows all inbound traffic from Exchange Online for the specified IPv4 type IP addresses. - Configure as shown below. For <IP list for IPv4> use the copy/pasted IPv4 addresses you saved from the steps earlier.
Name Value Source IP Addresses Source IP addresses/CIDR ranges <IP list for IPv4> Source port ranges * Destination Any Destination port ranges 25 Protocol TCP Action Allow Priority 400 (It should have a priority lower than AllowVnetInBound rule) Name AllowOnlyExchangeOnlineIpv4 Description Allow only inbound connections from the official Exchange Online IP Range, as documented here https://bit.ly/2VkiEFy - Click the [
Add
] button at the bottom. The rule will be created in a few minutes and will appear in the list ofInbound security rule
Create the rule allowing the IPv6 address ranges
- Click
+Add
at the top of the list of rules to create a rule that allows all inbound traffic from Exchange Online for the specified IPv6 type IP addresses. - Configure as shown below. For <IP list for IPv6> use the copy/pasted IPv6 addresses you saved from the steps earlier.
Name Value Source IP Addresses Source IP addresses/CIDR ranges <IP list for IPv6> Source port ranges * Destination Any Destination port ranges 25 Protocol TCP Action Allow Priority 401 (It should have a priority lower than AllowVnetInBound rule and higher than AllowOnlyExchangeOnlineIpv4) Name AllowOnlyExchangeOnlineIpv6 Description Allow only inbound connections from the official Exchange Online IP Range, as documented here https://bit.ly/2VkiEFy - Click the [
Add
] button at the bottom. The rule will be created in a few minutes and will appear in the list ofInbound security rule
Create the rule denying all other addresses to port 25
- Click
+Add
at the top of the list of rules to create a rule that denies traffic from all public IP addresses for port 25 - Configure as shown below
Name Value Source Any Source port ranges * Destination Any Destination port ranges 25 Protocol Any Action Deny Priority 402 (It should have a priority lower than AllowVnetInBound rule and higher than AllowOnlyExchangeOnlineIpv6) Name DenyPort25FromAnyIP Description Denies traffic from all public IP addresses on port 25, if not explicitly allowed in a previous rule. - Click the [
Add
] button at the bottom. The rule will be created in a few minutes and will appear in the list ofInbound security rule
Overall the new rules should look similar to the following
Comments
0 comments
Article is closed for comments.