Project

General

Profile

Forums » Help »

Outbound communication control for Azure NSG on Redmine servers

Added by 竜成 鈴木 8 days ago

Hello, I created a Bitnami Redmine server on Azure. The OS is Ubuntu.
I am sending emails from the Redmine server using Sendgrid.
I would like to confirm that outbound communication from the Azure NSG of this Redmine server is being controlled correctly.

When checking the outbound communication of the created Redmine server,
two types of communication were confirmed: email transmission via Sendgrid (port 587) and communication with the NTP server (port 123).

Therefore, we opened holes in ports 587 and 123 in the NSG outbound rules.
The IP addresses for which holes were opened are as follows.

■Port 587
・52.220.95.193 (ec2-52-220-95-193.ap-southeast-1.compute.amazonaws.com)
・52.201.183.155 (ec2-52-201-183-155.compute-1.amazonaws.com)

■Port 123
・45.77.20.103(v4.ntp.admtan.jp)
・40.79.194.118
・40.79.187.14
・20.209.23.65

Therefore, I would like to ask the following three questions.

1,Is it possible for Bitnami to communicate with the Internet with the NSG settings for ports 587 and 123 mentioned above?

2,Regarding the NTP settings for the server, is it possible for the IP address to change?

3,We are sending emails from Redmine using Sendgrid. How is the destination IP address determined? How does it change?

Please let me know. Thank you in advance.


Replies (2)

RE: Outbound communication control for Azure NSG on Redmine servers - Added by Holger Just 7 days ago

Sendgrid uses a large number of IP addresses which may often change. Thus, the small number of IPs may not be sufficient. As Sendgrid is a commercial service with a dedicated support team, they will likely be able to tell you the full list of IPs you need to open or other more appropriate options for your use-case.

Similarly, for NTP, you likely use a pool currently (i.e. SOMETHING.pool.ntp.org) which balances requests via a large and changing list of ntp servers. When using this pool, you likely have to allow outbound UDP 123 to all hosts. If you use a fixed list of NTP server, you need to configure these and thus can restrict packets to these fixed hosts only.

RE: Outbound communication control for Azure NSG on Redmine servers - Added by 竜成 鈴木 6 days ago

Thank you for your response.
I understand about the IP variation of the Sendgrid and NTP servers.

Please let me check again if there is any possibility of Bitnami communicating towards the Internet with AzureNSG settings on ports 587 and 123.

We would like to check if there is any possibility of unintended communication towards the Internet.

We believe that communications other than the currently configured ports 587 and 123 are blocked by the default deny rules unless explicitly allowed by the NSG outbound rules.

Therefore, if the NSG setting strictly allows only the above IP addresses and ports, then all other Internet communications are basically blocked, correct?

Please let me know. Thank you in advance.

Translated with DeepL.com (free version)

    (1-2/2)