1

I have setup a VM on our internal network and it is assigned an internal IP address. The VM requires connectivity to a couple of internet sites mainly Microsoft and ports are generally 80 and 443. This is to run Power Automate.

  • All connections are instigated from the VM.
  • All connections traverse our perimeter firewall, there is also NAT here.
  • We have restricted the IP ranges that the VM can connect out to.
  • No reverse proxy

Does this service needs to be placed on DMZ? my initial thoughts are No. The risk is if Microsoft domains and servers are compromised then a bad actor may able to send malware or compromise our internal server once a connection is established. The risk of this is low and therefore i am happy to accept this risk.

If a connection was instigated from the internet, then i think this builds a strong case to place the service on the DMZ. Am I right?

What are your thoughts? Is my thinking on the right lines?

Architect
  • 631
  • 1
  • 6
  • 9
  • Do a risk evaluation. Is the risk acceptable? Will placing it in a DMZ mitigate risks? Will it cause any inconveniences? – vidarlo Jul 20 '21 at 11:14
  • @vidarlo What is best practice given the scenario above? – Architect Jul 20 '21 at 13:41
  • 1
    Best practice is generally to restrict as much as reasonably possible, weighing how it affects usability. Noone can do that for you; you know your system, what you are protecting and how much effort you're willing to put into it. – vidarlo Jul 20 '21 at 14:16

0 Answers0