{"id":680,"date":"2021-07-06T20:44:58","date_gmt":"2021-07-06T20:44:58","guid":{"rendered":"https:\/\/www.spktechfit.com\/?p=680"},"modified":"2021-07-06T20:44:58","modified_gmt":"2021-07-06T20:44:58","slug":"22-secure-access-to-virtual-networks","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=680","title":{"rendered":"22. Secure Access to Virtual Networks"},"content":{"rendered":"

\n

NSGs (Network Security Groups)<\/h1>\n

“You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains\u00a0<\/span>security rules<\/span><\/a>\u00a0that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.”<\/span><\/p>\n

From <https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/network-security-groups-overview<\/a>> <\/cite><\/p>\n

The NSG can be attached to a subnet or a device network interface.<\/p>\n

\n

Azure creates a number of default security rules in a NSG when you create a device. They are:<\/p>\n

Inbound rules<\/p>\n

    \n
  1. Allow inbound traffic from devices in the same virtual network<\/span><\/li>\n
  2. Allow incoming traffic from a load balancer<\/span><\/li>\n
  3. All other traffic inbound gets denied<\/span><\/li>\n<\/ol>\n

    \n

    Outbound rules<\/p>\n

      \n
    1. Allow outbound traffic to any devices on the same VNet<\/span><\/li>\n
    2. Allow outbound traffic to the internet<\/span><\/li>\n
    3. Deny everything else <\/span>(what else is there if the internet is allowed\u2026)<\/span><\/li>\n<\/ol>\n

      \n

      Adding a rule<\/h2>\n

      In this example we will allow RDP traffic from any devices<\/p>\n

        \n
      1. Go the NSG -> Inbound security rules<\/span><\/li>\n
      2. Click on Add<\/span><\/li>\n
      3. Source: any (just for the test)<\/span><\/li>\n
      4. Source port range: *<\/span><\/li>\n
      5. Destination: any<\/span><\/li>\n
      6. Destination port: 3389<\/span><\/li>\n
      7. Protocol: TCP<\/span><\/li>\n
      8. Action: Allow<\/span><\/li>\n
      9. Priority: this needs to higher (lower number) than the deny rule. EG: 1000<\/span><\/li>\n
      10. Click Add<\/span><\/li>\n<\/ol>\n

        \n

        \n

        Implement Effective NSG Rules<\/h1>\n

        Azure automatically creates an NSG every time you create a VM. But if you had 100 VM’s you probably don\u2019t want to manage 100 NSG’s (not only is this annoying but it would be a security risk).<\/p>\n

        \n

        You want to have NSG’s with specific roles. EG:<\/p>\n

          \n
        • If you have a number of front end web servers, you would have an NSG for them with HTTPS access<\/span><\/li>\n
        • Backend servers may need certain ports allowed for database access etc\u2026<\/span><\/li>\n<\/ul>\n

          \n

          Associating a VM with an NSG<\/h2>\n

          You associate the network interface of the VM with the NSG. To do this:<\/p>\n

            \n
          1. Go to the VM network interface<\/span><\/li>\n
          2. Go to “Network Security Group”<\/span><\/li>\n
          3. Click Edit<\/span><\/li>\n
          4. Select the preferred NSG<\/span><\/li>\n<\/ol>\n

            \n

            NOTE: once you have associated the VM with the “role” NSG, you can then delete the NSG that was created with the VM. This is the best practice.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

            NSGs (Network Security Groups) “You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains\u00a0security rules\u00a0that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/680"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=680"}],"version-history":[{"count":1,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/680\/revisions"}],"predecessor-version":[{"id":681,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/680\/revisions\/681"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}