To protect the Azure Stack Hub solution, we implemented access control lists (ACLs) on the ToR switches. The following figure shows the sources and destinations of every network inside the Azure Stack Hub solution.
The following table correlates the ACL references with the Azure Stack Hub networks.
Network | ACL reference | Description |
BMC network | BMC Mgmt | Deployment VM, BMC interface, HLH server, HLH VMs. |
HLH External Accessible | A set of addresses that are hosted on an HLH node. The ACL denies IP access beyond the border. | |
HLH Internal Accessible | A set of addresses that are hosted on the HLH node. They have access to IP resources beyond the border. | |
HLH DVM | Azure Stack Hub deployment VM with access to resources on the Internet. | |
SwitchInfraNetwork | Switch Mgmt | Dedicated switch management interfaces. |
ToR1/ToR2 RouterIP | Loopback interface of the switch that is used for BGP peering between the SLB and switch or router. | |
AzureStackInfraNetwork | Azure Stack Hub Infrastructure | Azure Stack Hub infrastructure services and VMs; restricted network. |
Azure Stack Hub Infrastructure Public | Azure Stack Hub infrastructure services that must talk to the Internet and tenants (NTP, DNS, Active Directory). | |
StorageNetwork | Storage | Private IPs that are not routed outside of the stamp. |
Internal VIPs | Private IPs that are not routed outside of the stamp. | |
Public-VIPS | Public VIPs | Tenant network address space that the network controller manages. |
Public Admin VIPs | Small subset of addresses in the Tenant pool that are required to talk to Internal-VIPs and Azure Stack Hub Infrastructure. | |
Customer network (not on Deployment Worksheet) | Customer/Internet 0.0.0.0 | Customer-defined network. From the perspective of Azure Stack Hub, 0.0.0.0 is the border device. |
Deny | Field that the customer can update to allow additional management capabilities. | |
Permit | Customer data center network that the customer defines. |