use CIDR in firewall rules from Cloud datacenter objects
I have configured a datacenter object for Azure (R81.10 HF66 on MDS + GWs).
The datacenter object is retrieving correctly the subscription.
Looking at "Network by Subscriptions, Virtual Networks, subnets", the CIDR for networks are shown in the "Note" field.
However it seems that when one of these objects is used in a rule, only the discovered IPs ("IP" field) are actually used to populate the firewall rule. This is a problem because the discovery finds VMs but not other type of objects (e.g. private endpoints).
Is it possible to use these objects as plain subnets and not as a list of discovered IPs?
thanks for your reply.
Reading here it looks like this should work on R81.10 HF66 (Azure R81.10 – minimum requirements: Jumbo hotfix Take 14)
I have added "azure.enableAsgAndPep=true" in $MDSDIR/conf/vsec.conf (both mdsenv global and on the domain that is running cme) as described here
Restarted both vsec and cme, however we still do not see the private endpoint object types.
Do you have any advice on how to debug this (to check if this is a permissions issue, maybe)?
And other than including private endpoint in the discovery, is there any way to just get the CIDR and use it in the firewall rule?
If it's not working as expected please take it to TAC for investigation.
If you need the CIDR manual objects can be created as a workaround.
My assumption being we don't interpret things this way for security reasons so things aren't blindly allowed unexpectedly but I could be mistaken. Having the choice for different behaviour is likely an RFE to be discussed with your local SE.