This page documents how to append addtional security rules to an existing Azure Network Security Group deployed with Oracle WebLogic Server using the Azure CLI.
az --version to test if az works.The Azure Network Security Rule ARM template will be applied to an existing Azure Network Security Group (NSG) instance. If you don’t have one, please create a new instance from the Azure portal, by following the link to the offer in the index.
You must construct a parameter JSON file containing the parameters to the NSG template. See Create Resource Manager parameter file for background information about parameter files. The options to this template declare the desired configuration of the NSG.
| Parameter Name | Description |
denyPublicTrafficForAdminServer |
Deny public tranffic for the admin server on port 7001, 7002. |
denyPublicTrafficForManagedServer |
Deny public tranffic for the managed servers on port 8001. |
enableOHS |
We deal with the configuration for managed servers when the OHS load balancer is enabled. |
networkSecurityGroupName |
The name of the NSG. |
Here is a fully filled out parameters file, assuming the Oracle WebLogic Server was deployed accepting the default values.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"denyPublicTrafficForManagedServer": {
"value": true
},
"denyPublicTrafficForAdminServer": {
"value": false
},
"enableOHS": {
"value": true
},
"networkSecurityGroupName": {
"value": "wls-nsg"
}
}
}
This section shows how to kick off the deployment step-by-step. After the deployment, your existing NSG will append two additional Inbound Rules for admin and managed servers. Here we assume you have the parameter file in the current directory, the file is named parameters.json, and your NSG is named wls-nsg. Don’t forget to replace yourResourceGroup with the Azure resource group in which the NSG is created.
The az group deployment validate command is very useful to validate your parameters file is syntactically correct.
az group deployment validate --verbose --resource-group `yourResourceGroup` --parameters @parameters.json --template-uri https://raw.githubusercontent.com/oracle/weblogic-azure/2024-02-29-1-Q1/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/nsgNestedTemplate.json
If the command returns with an exit status other than 0, inspect the output and resolve the problem before proceeding. You can check the exit status by executing the commad echo $? immediately after the az command.
After successfully validating the template invocation, change validate to create to invoke the template.
az group deployment create --verbose --resource-group `yourResourceGroup` --parameters @parameters.json --template-uri https://raw.githubusercontent.com/oracle/weblogic-azure/2024-02-29-1-Q1/weblogic-azure-vm/arm-oraclelinux-wls-dynamic-cluster/arm-oraclelinux-wls-dynamic-cluster/src/main/arm/nestedtemplates/nsgNestedTemplate.json
When the deployment is completed, you can verify the appended rules via Azure Portal
Settings -> Inbound security rules.WebLogicAdminPortsAllowed with Priority = ‘210’; Port = ‘7001, 7002’; Protocol = ‘TCP’; Source = ‘10.0.0.0/24’; Aciton = ‘Allow’.WebLogicManagedPortsDenied with Priority = ‘221’; Port = ‘8001’; Protocol = ‘*’; Aciton = ‘Deny’.