I have a service fabric cluster with two node types, Frontend and Backend. Each node type has a single application in there that listen on a REST interface. The front end app should be accessible from the outside world, but the backend node type should only be accessible from the front end app.
Each node type has an associated Load Balancer and I have setup rules to allow access to each of the apps and this all works fine. However I would like to make sure that the load balancer only allows comms to backend node type if the comms originates from the front end app. I cannot see a way to configure this in the load balancer rules.
Can someone tell me how to prevent public access to my backend application?
I believe you can solve this problem by using Network Security Groups.
A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).
Here's an example on how to deploy this.
Use this template as a sample for setting up a three nodetype secure cluster and to control the inbound and outbound network traffic using Network Security Groups. The template has a Network Security Group for each of the VMSS to control the traffic in and out of the VMSS.