From 5ca584f1798c6ab9962866d365dc487fad259fab Mon Sep 17 00:00:00 2001 From: Maurizio Branca Date: Thu, 22 Feb 2024 16:58:47 +0100 Subject: [PATCH] Add firewall documentation for the Azure Logs integration (#9158) * Add firewall documentation for the event hub --------- Co-authored-by: Arianna Laudazzi <46651782+alaudazzi@users.noreply.github.com> --- packages/azure/_dev/build/docs/README.md | 53 ++++++++++++++++++++++++ packages/azure/changelog.yml | 7 +++- packages/azure/docs/README.md | 53 ++++++++++++++++++++++++ packages/azure/manifest.yml | 2 +- 4 files changed, 113 insertions(+), 2 deletions(-) diff --git a/packages/azure/_dev/build/docs/README.md b/packages/azure/_dev/build/docs/README.md index 74a252174029..cbdec1547efc 100644 --- a/packages/azure/_dev/build/docs/README.md +++ b/packages/azure/_dev/build/docs/README.md @@ -266,6 +266,59 @@ The Elastic Agent can use one Storage account container for all integrations. The Agent will use the integration name and the event hub name to identify the blob to store the consumer group information uniquely. +### Running the integration behind a firewall + +When you run the Elastic Agent behind a firewall, to ensure proper communication with the necessary components, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container. + +```text +┌────────────────────────────────┐ ┌───────────────────┐ ┌───────────────────┐ +│ │ │ │ │ │ +│ ┌────────────┐ ┌───────────┐ │ │ ┌──────────────┐ │ │ ┌───────────────┐ │ +│ │ diagnostic │ │ event hub │ │ │ │azure-eventhub│ │ │ │ activity logs │ │ +│ │ setting │──▶│ │◀┼AMQP─│ <> │─┼──┼▶│<>│ │ +│ └────────────┘ └───────────┘ │ │ └──────────────┘ │ │ └───────────────┘ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ ┌─────────────┬─────HTTPS─┼──────────┘ │ │ │ +│ ┌───────┼─────────────┼──────┐ │ │ │ │ │ +│ │ │ │ │ │ │ │ │ │ +│ │ ▼ ▼ │ │ └─Agent─────────────┘ └─Elastic Cloud─────┘ +│ │ ┌──────────┐ ┌──────────┐ │ │ +│ │ │ 0 │ │ 1 │ │ │ +│ │ │ <> │ │ <> │ │ │ +│ │ └──────────┘ └──────────┘ │ │ +│ │ │ │ +│ │ │ │ +│ └─Storage Account Container──┘ │ +│ │ +│ │ +└─Azure──────────────────────────┘ +``` + +#### Event Hub + +Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. + +For more information, check the following documents: + +- [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall). +- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements) + +#### Storage Account Container + +Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition. + +#### DNS + +Optionally, you can restrict the traffic to the following domain names: + +```text +*.servicebus.windows.net +*.blob.core.windows.net +*.cloudapp.net +``` + ## Settings Use the following settings to configure the Azure Logs integration when you add it to Fleet. diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index 7fdad6b54e19..88337cd3d65f 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,6 +1,11 @@ +- version: "1.9.2" + changes: + - description: Add docs for running the integration behind a firewall. + type: enhancement + link: https://github.com/elastic/integrations/pull/9158 - version: "1.9.1" changes: - - description: Set field type to password on secret fields + - description: Set field type to password on secret fields. type: bugfix link: https://github.com/elastic/integrations/pull/9159 - version: "1.9.0" diff --git a/packages/azure/docs/README.md b/packages/azure/docs/README.md index 74a252174029..cbdec1547efc 100644 --- a/packages/azure/docs/README.md +++ b/packages/azure/docs/README.md @@ -266,6 +266,59 @@ The Elastic Agent can use one Storage account container for all integrations. The Agent will use the integration name and the event hub name to identify the blob to store the consumer group information uniquely. +### Running the integration behind a firewall + +When you run the Elastic Agent behind a firewall, to ensure proper communication with the necessary components, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container. + +```text +┌────────────────────────────────┐ ┌───────────────────┐ ┌───────────────────┐ +│ │ │ │ │ │ +│ ┌────────────┐ ┌───────────┐ │ │ ┌──────────────┐ │ │ ┌───────────────┐ │ +│ │ diagnostic │ │ event hub │ │ │ │azure-eventhub│ │ │ │ activity logs │ │ +│ │ setting │──▶│ │◀┼AMQP─│ <> │─┼──┼▶│<>│ │ +│ └────────────┘ └───────────┘ │ │ └──────────────┘ │ │ └───────────────┘ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ ┌─────────────┬─────HTTPS─┼──────────┘ │ │ │ +│ ┌───────┼─────────────┼──────┐ │ │ │ │ │ +│ │ │ │ │ │ │ │ │ │ +│ │ ▼ ▼ │ │ └─Agent─────────────┘ └─Elastic Cloud─────┘ +│ │ ┌──────────┐ ┌──────────┐ │ │ +│ │ │ 0 │ │ 1 │ │ │ +│ │ │ <> │ │ <> │ │ │ +│ │ └──────────┘ └──────────┘ │ │ +│ │ │ │ +│ │ │ │ +│ └─Storage Account Container──┘ │ +│ │ +│ │ +└─Azure──────────────────────────┘ +``` + +#### Event Hub + +Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. + +For more information, check the following documents: + +- [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall). +- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements) + +#### Storage Account Container + +Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition. + +#### DNS + +Optionally, you can restrict the traffic to the following domain names: + +```text +*.servicebus.windows.net +*.blob.core.windows.net +*.cloudapp.net +``` + ## Settings Use the following settings to configure the Azure Logs integration when you add it to Fleet. diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index 5a67264597bc..b6fbc2cc0918 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.9.1 +version: 1.9.2 description: This Elastic integration collects logs from Azure type: integration icons: