Add firewall documentation for the Azure Logs integration

[zmoog]

Proposed commit message

Specify the TCP ports required to enable Azure Logs on an Agent behind a firewall.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Relates Add firewall documentation for azure-eventhub based integrations #9157

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[alaudazzi]

I left a few editing suggestions, otherwise LGTM.

[willemdh]

@zmoog The only remark I have here is that 5672 is unencrypted AMQP traffic and should not be opened. I can confirm it is not needed, it works when only 5671 is allowed. I'd really advice to check

*.servicebus.windows.net:5671
*.blob.core.windows.net:443

Also when you nslookup the servicebus URL, you get 3 *.cloudapp.net Url's which Also need to be allowed.

When the *.cloudapp.net url's are not allowed, it does not work

[zmoog]

The only remark I have here is that 5672 is unencrypted AMQP traffic and should not be opened. I can confirm it is not needed, it works when only 5671 is allowed. I'd really advice to check

When the *.cloudapp.net url's are not allowed, it does not work

Thank you @willemdh, I'll double check both the ports and the URLs.

[zmoog]

According to the AMQP 1.0 in Azure Service Bus and Event Hubs protocol guide, is seems the service on port 5672 performs a mandatory upgrade of connection to TLS:

Azure Service Bus or Azure Event Hubs requires the use of TLS at all times. It supports connections over TCP port 5671, whereby the TCP connection is first overlaid with TLS before entering the AMQP protocol handshake, and also supports connections over TCP port 5672 whereby the server immediately offers a mandatory upgrade of connection to TLS using the AMQP-prescribed model.

In the same document, in the AMQP outbound port requirements section, it lists both ports:

Clients that use AMQP connections over TCP require ports 5671 and 5672 to be opened in the local firewall.

So my current understanding is that using both 5671 and 5672 ports is not insecure because the service requires a mandatory upgrade to TLS.

I also noticed the document mentions the need for additional ports the EnableLinkRedirect is enabled:

Along with these ports, it might be necessary to open additional ports if the EnableLinkRedirect feature is enabled. EnableLinkRedirect is a new messaging feature that helps skip one-hop while receiving messages, thus helping to boost throughput. The client would start communicating directly with the back-end service over port range 104XX [...]

Personally, I never enable this option, but I want to learn more.

[zmoog]

@alaudazzi, I made a few minor additions. Would you mind taking a final look? 🙇

[alaudazzi]

A few editing suggestions. LGTM.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 9188dc2

History

• 💚 Build #9217 succeeded fb1b99d
• 💚 Build #9213 succeeded da0f072
• 💔 Build #9212 failed b4f3816
• 💔 Build #9209 failed 98a1fe4
• 💚 Build #9021 succeeded bb32baa
• 💚 Build #8967 succeeded 9b3914a

cc @zmoog

[elastic-sonarqube]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[elasticmachine]

Package azure - 1.9.2 containing this change is available at https://epr.elastic.co/search?package=azure