Hopefully this is not a silly question but, I am fairly new to Azure and basically I have a Resource Group with a VNet, subnet and default NSG. I have deployed a Vuln Scanner VM into this VNet. The thing I am confused by is that there is NO public IP or NAT Gateway associated with the VM, the VNet or any network interface associated with said VNet. However the Vuln Scanner VM can go outbound directly to the internet. My one thought is that because the VNet is peered with another VNet that does have outbound access that it is routing through that… However when I look at “Effective Routes” in the Network Interface it shows all traffic going directly to the internet instead of through the VNet Peering. Does anyone have any thoughts on how my VM is getting outbound?
That’s the default outbound method, you get NAT outbound a random IP
Learn about default outbound access in Azure.
This gives a good overview: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
Ah ok, that seems crazy to me but hey it seems like the answer. I really appreciate it! Im going to put up something better now like the NAT Gateway.
I want to create Azure Container Registry, how should I design it for organization so it will be at best and easy to handle
What are your requirements?
We have some images and chart that need to be pushed thier and use them through private endpoint. My confusion us that I didn’t use private repo, so looking for structure I would organize it. As SP or ad user and authentication
From where will you consume the images
We will use azure devop for pushing images and charts, pulling OCP
Unless you have other specific requirements, for AZDO I’d setup a service connection to the ACR and use that in your pipeline. Alternatively create a SP and use that to login to the ACR and upload your artifacts.
From OCP (Openshift I assume) you use a pull secret as described here https://docs.microsoft.com/en-us/azure/openshift/howto-use-acr-with-aro
Learn how to pull and run a container from Azure Container Registry in your Azure Red Hat OpenShift cluster.
Also want to do content trust and signing We will using ado for pipelines And how we can use sp one for developer that they can push only, and other for devops team for pull push and delete and other
I haven’t worked with Content trust.
For AZDO service connection you can grant access per pipeline. For humans you will create role assignments per group or user:
Use Azure role-based access control (Azure RBAC) and identity and access management (IAM) to provide fine-grained permissions to resources in an Azure container registry.