IMPORTANT: Nerdio by default implements environments with Azure Network Security groups for securing the public and private IP space in an Azure environment. In some instances a partner may have needs outside the scope of NSGs. Nerdio and its orchestration in Azure does allow flexibility for partners looking to implement a 3rd party virtual firewall appliance in an independent resource group. The following is important IP space information a partner will need in order to successfully install a 3rd party virtual firewall. Nerdio does not support the operation, configuration and troubleshooting of 3rd party firewalls outside of the private IP space and virtual network.
- Partners have the most success working with the firewall manufacturer when it comes to implementation strategy and deployment of the virtual appliance.
The following network is required for lookups to be transacted via SafeDNS to leverage the web content filters and allow/deny lists.
DNS - Any protocol / port 53 - 126.96.36.199/24
The following internal network definition will be required to complete the routing table setup to configure transit to egress via the 3rd party firewall.
Azure Virtual Network IP Space - 10.125.0.0/17
VM IP Blocks
Segments used in the Vnet to differentiate VM roles in the environment
Core host block (i.e. DC01, FS01) - 10.125.1.0/24
Host pool server(s) block - 10.125.0.0/24
DMZ host block - 10.125.254.0/24
Nerdio Admin Portal & Subnet Connectivity
The Nerdio Admin Portal relies on direct connectivity to the Azure virtual machines for provisioning and ongoing management (through utilities such as PSEXec, PowerShell Remoting, SMB, and others). During provisioning, NAP automatically adds rules to the LAN and DMZ NSGs to permit this communication. When changing Virtual Network routing or NSG policies, be sure to verify connectivity to the below subnets remains unmodified:
- Attempting to route Nerdio subnet traffic through the 3rd party firewall is not recommended and may lead to an impairment of any and all functions attempted by the NAP.