问题
I have two VNETS (VNET1 and VNET2). VNET1 allows many site2site and point to site connections. VNET2 contains an internal load balancer and a set of VMs for the back end pool of that load balancer. I have successfully setup peering with the help of another post listed below which allows all on-premise clients in VNET1 to access the internal load balancer in VNET2 but it also allows them to access the VMs in VNET2 which I want to avoid.
Accessing resources from connected Azure VNETS via VPN
I'm trying to limit on-premise clients connected to VNET1 so they can only see the internal load balancer on VNET2 (not the VMs in the backend pool). I saw a similar question below but that involved two public load balancers so not sure it's applicable here since I'm using internal load balancer.
Azure Vnet peering with public IP load balancer
I've tried setting up an NSG on the subnet where the VMs reside by creating following rules.
- Rule1: Allow LoadBalancer IP to VM subnet (backend VM pool).
- Rule2: Deny all other VnetInBound traffic (this overrides the default AllowVnetInBound).
The above rules prevents VNET1 from seeing anything in VNET2 but also prevents sending to the load balancer for some reason.
Anyone have any ideas on how this configuration could be implemented?
来源:https://stackoverflow.com/questions/50865566/security-for-peered-vnets-with-internal-load-balancer