Security Requirements

This section summarizes the main security requirements and principles when building your Azure cloud infrastructure, to which you will deploy CloudBlue Commerce.

The table below defines basic restrictions on communication between zones. However, to ensure the necessary level of security, define firewall rules for each node. For more information, please refer to the CloudBlue Commerce Firewall Configuration. For additional security requirements, please see Network Requirements.

By default, Azure routes all traffic inside a VNet, so all subnets can communicate to each other even if they are in different IP address ranges (for example, 172.16.0.0/24 and 10.5.0.0/16). For security reasons, only certain communications must be allowed, while all others restricted:

To restrict these interconnections, use Network Security Groups (NSGs). NSGs are assigned to subnets.
To allow the necessary communications, define the allowing rules as described in the table below.

Note: You do not have to define allowing rules for the incoming traffic associated with established connections. When a connection initiator establishes connection with any communication counterpart, Azure allows such a session by default.

Zone	Allowing rules
Frontnet zone	in from the Internet (for all static public IP owners, except for the PrivacyProxy node) in from Adminnet in from DBnet to PrivacyProxy out to the Internet in/out from/to Frontnet in/out from/to Backnet-IAAS
Backnet-IAAS zone, for standalone VMs	in from Adminnet in/out from/to Frontnet in/out from/to DBnet in/out from/to Backnet-IAAS in/out from/to Backnet-AKS-nodes in/out from/to on-premise (optional)
DBnet zone	in from Backnet-AKS-nodes in from Adminnet out to PrivacyProxy in Frontnet in/out from/to Backnet-IAAS in/out from/to DBnet
Adminnet zone	in from VPN clients’ subnet out from jumpboxes to all zones in/out from/to Adminnet