Skip to content
Last update: June 14, 2022

Use firewall rules

By default, when you create a new Quorum Blockchain Service (QBS) member in Azure, no firewall rules are configured. This means any incoming IP address can attempt to access your transaction nodes. You can configure firewall rules to limit which IP addresses, or IP address ranges, are allowed to attempt to connect to your nodes.

Set a firewall rule

You can use the QBS management API to configure firewall rules. Select Authorize on the API website to authorize running the APIs.

Authorize API

Once you authorize the API, select the PATCH request for Update the transaction node under the TransactionNodes section, and select Try it out.

Try it out

In the fields for the API request, fill out the following using your QBS member information:

  • subscriptionID - Your subscription ID, in the Overview tab for your QBS member, under the Essentials section.

  • resourceGroupName - The resource group to which your QBS member is deployed. Note this is NOT the Managed Application resource group.

  • blockchainMemberName - The name of your QBS member, also known as the name of your Managed Application, located in the upper-left corner of the Overview tab.

  • transactionNodeName - The name of your transaction node. The default name is transaction-1 unless you have added an additional transaction node to your member.

Overview Page

In the Request body of the API, the default JSON request is displayed.

Default request body

Replace the entire content of this section with the following example JSON request, changing the following fields:

  • startIPAddress - The IP address, or the beginning of an IP address range, you want to allow access to the node.

  • endIPAddress - The IP address, or the end of an IP address range, you want to allow access to the node.

  • ruleName - A name for the firewall rule.

Example JSON request

[
    {
        "op": "add",
        "path": "/firewallRules/-",
        "value": {
            "ruleName": "my-rule",
            "startIpAddress": "1.2.3.4",
            "endIpAddress": "1.2.3.4"
        }
    }
]

Select Execute to set the firewall rule. The response body shows the firewall rule has been set in the firewallRules section under properties.

Example JSON result

{
    "id": "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/devtool-testing/providers/Microsoft.Solutions/applications/consensys",
    "location": "eastus",
    "name": "consensys",
    "sku": null,
    "tags": {},
    "type": "ConsenSys.Blockchain/blockchainMembers",
    "properties": {
        "consortium": "devtooltest",
        "consortiumMemberDisplayName": "consensys",
        "dns": "transaction-1.consensys.devtooltest.onquorum.net",
        "protocol": "Quorum",
        "provisioningState": "Succeeded",
        "publicKey": null,
        "rootContactAddress": null,
        "firewallRules": [
        {
            "endIpAddress": "1.2.3.4",
            "startIpAddress": "1.2.3.4",
            "ruleName": "my-rule"
        }
        ],
        "validatorNodesSku": {
        "capacity": 1
        }
    }
}

Note

Setting firewall rules can take up to one minute to complete.

While the API may show success, you can verify the rule in effect by opening your Managed resource group in your QBS member, and selecting the qbs-network-security security group.

Overview Page

Add multiple firewall rules at once

Example JSON request

[
    {
        "op": "add",
        "path": "/firewallRules/-",
        "value": {
            "ruleName": "my-rule",
            "startIpAddress": "1.2.3.4",
            "endIpAddress": "1.2.3.4"
        }
    },
    {
        "op": "add",
        "path": "/firewallRules/-",
        "value": {
            "ruleName": "another-my-rule",
            "startIpAddress": "3.4.5.6",
            "endIpAddress": "3.4.5.6"
        }
    }
]

Delete a firewall rule

Example JSON request

[
    {
        "op": "remove",
        "path": "/firewallRules/0"
    }
]

Delete all firewall rules

Example JSON request

[
    {
        "op": "replace",
        "path": "/firewallRules",
        "value": []
    }
]

Rename a firewall rule

Example JSON request

[
    {
        "op": "replace",
        "path": "/firewallRules/0/ruleName",
        "value": "new-rule-name"
    }
]

Change the startIPAddress of a firewall rule

Example JSON request

[
    {
        "op": "replace",
        "path": "/firewallRules/0/startIpAddress",
        "value": "1.2.3.4"
    }
]

Change the endIPAddress of a firewall rule

Example JSON request

[
    {
        "op": "replace",
        "path": "/firewallRules/0/endIpAddress",
        "value": "1.2.3.4"
    }
]

Replace a firewall rule

Example JSON request

[
    {
        "op": "replace",
        "path": "/firewallRules/0",
        "value": {
            "ruleName": "replaced-rule-new",
            "startIpAddress": "1.2.3.4",
            "endIpAddress": "1.2.3.4"
        }
    }
]
Back to top