Azure, Technology

22. Secure Access to Virtual Networks

NSGs (Network Security Groups)

“You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.”

From <https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview>

The NSG can be attached to a subnet or a device network interface.

Azure creates a number of default security rules in a NSG when you create a device. They are:

Inbound rules

  1. Allow inbound traffic from devices in the same virtual network
  2. Allow incoming traffic from a load balancer
  3. All other traffic inbound gets denied

Outbound rules

  1. Allow outbound traffic to any devices on the same VNet
  2. Allow outbound traffic to the internet
  3. Deny everything else (what else is there if the internet is allowed…)

Adding a rule

In this example we will allow RDP traffic from any devices

  1. Go the NSG -> Inbound security rules
  2. Click on Add
  3. Source: any (just for the test)
  4. Source port range: *
  5. Destination: any
  6. Destination port: 3389
  7. Protocol: TCP
  8. Action: Allow
  9. Priority: this needs to higher (lower number) than the deny rule. EG: 1000
  10. Click Add

Implement Effective NSG Rules

Azure automatically creates an NSG every time you create a VM. But if you had 100 VM’s you probably don’t want to manage 100 NSG’s (not only is this annoying but it would be a security risk).

You want to have NSG’s with specific roles. EG:

  • If you have a number of front end web servers, you would have an NSG for them with HTTPS access
  • Backend servers may need certain ports allowed for database access etc…

Associating a VM with an NSG

You associate the network interface of the VM with the NSG. To do this:

  1. Go to the VM network interface
  2. Go to “Network Security Group”
  3. Click Edit
  4. Select the preferred NSG

NOTE: once you have associated the VM with the “role” NSG, you can then delete the NSG that was created with the VM. This is the best practice.

Leave a Reply

Your email address will not be published. Required fields are marked *