To undertake the article content, we look at the other options available in the Azure Redis deployment, the article mentioned, the Azure Redis Premium version, we can deploy in support Redis VNET, such benefits are obvious, we You can control the flow in and out of redis by NSG and other rules, so you can put good security redis, but if not the Premium version of Redis mean that there is no way to do network security Redis it? Of course, this is not even the standard of redis, we can still be added to the white list of ways to protect the safety of the Firewall in redis
Of course, this is only for the public to develop a whitelist, redis itself is still equivalent to the deployment in the internet, rather than a private network, if you want the application to access content access redis, you need to be deployed in the virtual network Redis bingo
Redis virtual network to deploy these advantages are the following:
A fixed static private ip
NSG may be used to control the flow out of the station
Application lower access latency
Of course, you want to deploy in a virtual network, Redis also requires us to have a separate subnet for redis deployment, this is a concept of what? If you used the application gateway, then very easy to understand this concept, application gateway is required to be deployed on a separate subnet, this subnet can only deploy application gateway resources can not be deployed to any other resources, redis is the same concept, which is redis a pre-condition in the deployment of virtual networks
Further, if there is a scene strict requirements for both inbound and outbound traffic, the Redis also requires some specific server and the address of inbound or have an authority station, and redis require regular communication node to maintain the state of a number of management itself redis
The following is a detailed description of these requirements, such as being given a timeout if the condition is not satisfied, then the network port, you will find deployment redis
Egress port requirements
Egress port has seven requirements.
与 Internet 的所有出站连接都可以通过客户端的本地审核设备建立。
其中三个端口将流量路由到为 Azure 存储和 Azure DNS 提供服务的 Azure 终结点。
剩余端口范围,这些端口用于内部 Redis 子网通信。 内部 Redis 子网通信不需要子网 NSG 规则。
| 端口 | 方向 | 传输协议 | 目的 | 本地 IP | 远程 IP |
|---|---|---|---|---|---|
| 80、443 | 出站 | TCP | Azure 存储/PKI (Internet) 上的 Redis 依赖关系 | (Redis 子网) | * |
| 53 | 出站 | TCP/UDP | DNS (Internet/VNet) 上的 Redis 依赖关系 | (Redis 子网) | 168.63.129.16 和 169.254.169.254 1 以及子网的任何自定义 DNS 服务器 3 |
| 8443 | 出站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
| 10221-10231 | 出站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
| 20226 | 出站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
| 13000-13999 | 出站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
| 15000-15999 | 出站 | TCP | Redis 的内部通信和异地复制 | (Redis 子网) | (Redis 子网)(地域副本对等子网) |
| 6379-6380 | 出站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
1 Microsoft 拥有的这些 IP 地址用于对为 Azure DNS 提供服务的主机 VM 进行寻址。
3 没有自定义 DNS 服务器的子网或忽略自定义 DNS 的更新 redis 缓存不需要。
异地复制对等端口要求
如果在 Azure 虚拟网络中的缓存之间使用异地复制,请注意,建议的配置是在两个缓存的入站和出站方向上取消阻止整个子网的端口 15000-15999,这样即使将来发生异地故障转移,子网中的所有副本组件也可以直接相互通信。
入站端口要求
入站端口范围有八个要求。 这些范围中的入站请求从同一 VNET 中托管的其他服务入站,或者是 Redis 子网通信的内部请求。
| 端口 | 方向 | 传输协议 | 目的 | 本地 IP | 远程 IP |
|---|---|---|---|---|---|
| 6379、6380 | 入站 | TCP | 与 Redis 的客户端通信、Azure 负载均衡 | (Redis 子网) | (Redis 子网)、虚拟网络、Azure 负载均衡器 2 |
| 8443 | 入站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
| 8500 | 入站 | TCP/UDP | Azure 负载均衡 | (Redis 子网) | Azure 负载均衡器 |
| 10221-10231 | 入站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网)、Azure 负载均衡器 |
| 13000-13999 | 入站 | TCP | 与 Redis 群集的客户端通信、Azure 负载均衡 | (Redis 子网) | 虚拟网络、Azure 负载均衡器 |
| 15000-15999 | 入站 | TCP | 与 Redis 群集的客户端通信、Azure 负载均衡和异地复制 | (Redis 子网) | 虚拟网络、Azure 负载均衡器(地域副本对等子网) |
| 16001 | 入站 | TCP/UDP | Azure 负载均衡 | (Redis 子网) | Azure 负载均衡器 |
| 20226 | 入站 | TCP | Redis 的内部通信 | (Redis 子网) | (Redis 子网) |
2 可以使用服务标记“AzureLoadBalancer”(资源管理器)或“AZURE_LOADBALANCER”(经典)来创作 NSG 规则。
其他 VNET 网络连接要求
在虚拟网络中,可能一开始不符合 Azure Redis 缓存的网络连接要求。 在虚拟网络中使用时,Azure Redis 缓存需要以下所有项才能正常运行。
与全球 Azure 存储终结点建立的出站网络连接。 这包括位于 Azure Redis 缓存实例区域的终结点,以及位于其他 Azure 区域的存储终结点。 Azure 存储终结点在以下 DNS 域之下解析:table.core.chinacloudapi.cn、blob.core.chinacloudapi.cn、queue.core.chinacloudapi.cn 和 file.core.chinacloudapi.cn。
与 ocsp.msocsp.com、mscrl.microsoft.com 和 crl.microsoft.com 建立的出站网络连接。 需要此连接才能支持 SSL 功能。
虚拟网络的 DNS 设置必须能够解析前面几点所提到的所有终结点和域。 确保已针对虚拟网络配置并维护有效的 DNS 基础结构即可符合这些 DNS 要求。
Outbound network (DNS parsing in the following fields) with the following endpoint connection monitoring Azure: shoebox2-black.shoebox2.metrics.nsatc.net, north-prod2.prod2.metrics.nsatc.net, azglobal-black.azglobal .metrics.nsatc.net, shoebox2-red.shoebox2.metrics.nsatc.net, east-prod2.prod2.metrics.nsatc.net, azglobal-red.azglobal.metrics.nsatc.net.
Therefore, the conclusion, redis want to deploy to a virtual network, you need the following three conditions are satisfied
There is a separate subnet for deployment redis
Redis inbound and outbound meet the requirements
Premium version of Redis
The deployment process is relatively very simple, select P level redis redis at deployment time, and then pick the right vnet and subnet, you can see if the subnet condition is not satisfied, you will be prompted subnet already has other resources
