Configure Firewall to allow authentication to AAD #410
Comments
|
I agree that in certain cases this needs to be considered. I feel that it needs to better understand the scenarios and can't be a generic setting and documented very well. This would be inline with being opinionated. For example, a simple service tag endpoint for storage via SAS token solves storage access. A private end point and DNS entry will be required for Log Analytics. Key vault, mentioned here requires the following: Getting token being the problem?
The info on Key Vault is here. The question is what is allowed and still be compliant and what requires this access. |
brooke-hamilton
changed the title
|
The failure appears to be the javascript that is downloaded from login portal tries to reach aadcdn.msftauth.net and aacdn.msft.net to get an answer and those domains are not in the AzureCloud tag. By adding these as a Firewall policy in MAG to allow it then works. Further testing in commercial but this will need to add AzureCloud tag and 1 additional application rule for those domains. |
Benefit/Result/Outcome
As a user/admin of MLZ capabilities, I need to be able to access Azure endpoints from within the MLZ environment
Description
When using systems deployed within the MLZ hub and spoke architecture, there may be a need for accessing endpoints from IaaS systems. As an example, when logged into a Remote Access server, a user/admin may need to query a Key Vault for Secrets. In order to access the Key Vault, the user/admin would need to first authenticate against the login endpoint for the respective cloud.
The scope for this backlog item is limited to providing network access to AAD authentication. We assume that Azure resources that allow private endpoints will be addressable if users can get a token from AAD. See #306 for planning on private endpoints.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: