Use firewall rules
By default, when you create a new Quorum Blockchain Service (QBS) member in Azure, no firewall rules are configured. This means any incoming IP address can attempt to access your transaction nodes. You can configure firewall rules to limit which IP addresses, or IP address ranges, are allowed to attempt to connect to your nodes.
Set a firewall rule
You can use the QBS management API to configure firewall rules. Select Authorize on the API website to authorize running the APIs.
Once you authorize the API, select the PATCH request for Update the transaction node under the TransactionNodes section, and select Try it out.
In the fields for the API request, fill out the following using your QBS member information:
subscriptionID
- Your subscription ID, in the Overview tab for your QBS member, under the Essentials section.resourceGroupName
- The resource group to which your QBS member is deployed. Note this is NOT the Managed Application resource group.blockchainMemberName
- The name of your QBS member, also known as the name of your Managed Application, located in the upper-left corner of the Overview tab.transactionNodeName
- The name of your transaction node. The default name istransaction-1
unless you have added an additional transaction node to your member.
In the Request body of the API, the default JSON request is displayed.
Replace the entire content of this section with the following example JSON request, changing the following fields:
startIPAddress
- The IP address, or the beginning of an IP address range, you want to allow access to the node.endIPAddress
- The IP address, or the end of an IP address range, you want to allow access to the node.ruleName
- A name for the firewall rule.
[
{
"op": "add",
"path": "/firewallRules/-",
"value": {
"ruleName": "my-rule",
"startIpAddress": "1.2.3.4",
"endIpAddress": "1.2.3.4"
}
}
]
Select Execute to set the firewall rule. The response body shows the firewall rule has been set in the firewallRules
section under properties
.
{
"id": "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/devtool-testing/providers/Microsoft.Solutions/applications/consensys",
"location": "eastus",
"name": "consensys",
"sku": null,
"tags": {},
"type": "ConsenSys.Blockchain/blockchainMembers",
"properties": {
"consortium": "devtooltest",
"consortiumMemberDisplayName": "consensys",
"dns": "transaction-1.consensys.devtooltest.onquorum.net",
"protocol": "Quorum",
"provisioningState": "Succeeded",
"publicKey": null,
"rootContactAddress": null,
"firewallRules": [
{
"endIpAddress": "1.2.3.4",
"startIpAddress": "1.2.3.4",
"ruleName": "my-rule"
}
],
"validatorNodesSku": {
"capacity": 1
}
}
}
Setting firewall rules can take up to one minute to complete.
While the API may show success, you can verify the rule in effect by opening your Managed resource group in your QBS member, and selecting the qbs-network-security security group.
Add multiple firewall rules at once
[
{
"op": "add",
"path": "/firewallRules/-",
"value": {
"ruleName": "my-rule",
"startIpAddress": "1.2.3.4",
"endIpAddress": "1.2.3.4"
}
},
{
"op": "add",
"path": "/firewallRules/-",
"value": {
"ruleName": "another-my-rule",
"startIpAddress": "3.4.5.6",
"endIpAddress": "3.4.5.6"
}
}
]
Delete a firewall rule
[
{
"op": "remove",
"path": "/firewallRules/0"
}
]
Delete all firewall rules
[
{
"op": "replace",
"path": "/firewallRules",
"value": []
}
]
Rename a firewall rule
[
{
"op": "replace",
"path": "/firewallRules/0/ruleName",
"value": "new-rule-name"
}
]
Change the startIPAddress
of a firewall rule
[
{
"op": "replace",
"path": "/firewallRules/0/startIpAddress",
"value": "1.2.3.4"
}
]
Change the endIPAddress
of a firewall rule
[
{
"op": "replace",
"path": "/firewallRules/0/endIpAddress",
"value": "1.2.3.4"
}
]
Replace a firewall rule
[
{
"op": "replace",
"path": "/firewallRules/0",
"value": {
"ruleName": "replaced-rule-new",
"startIpAddress": "1.2.3.4",
"endIpAddress": "1.2.3.4"
}
}
]