Microsoft AZ-700: Deploy Network Security Groups by Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 5: Deploy Network Security Groups by Using the Azure Portal

NSG in Azure allows filtering network traffic to/from Azure resources in a VNet. NSG contains security rules to allow/deny inbound traffic to, or outbound from several types of resources. Each rule specifies source/destination, port, protocol.

  • NSG Security Rules
    • NSG contains zero, or as many rules as you want, within subscription Limits
    • Each rule has a series of properties
      • Name
        • Must be unique within NSG
      • Priority
        • Number between 100-4096
        • Processed in order with lower number handled first
        • Once traffic matches rule processing stops
      • SRC or DST
        • Can be set to
          • Any
          • Individual IP
          • CIDR block
          • Service tag
          • App security group
      • Protocol
        • TCP
        • UDP
        • ICMP
        • ESP
        • AH
        • Any
      • Direction
        • Rx
        • Tx
      • Port Range
        • Individual Port
        • Range of Ports
      • Action
        • Allow
        • Deny
    • FW evaluates rules using source, source port, dest, dest port, protocol
  • Default security rules
    • (Table below from MS Learn)
    • Deployment scenario examples based on diagram below (Diagram from MS Learn)
      •  
      • For inbound traffic Azure processes rules in NSG associated to subnet first (if exists), and then rules in NSG associated to interface (if exists)
        • VM1
          • Subnet1 associated with NSG1
          • Security rules are processed
          • VM1 is in Subnet1
          • Unless rule created that allows port 80 in, the DenyAllInbound default rule denies the traffic
            • In this case never evaluated by NSG2 as it’s associated to network interface
          • If NSG1 has rule allowing port 80, NSG2 then processes traffic
          • To allow port 80 to VM both NSG1 and NSG2 must have rule that llows port 80 from inet
        • VM2
          • NSG1 rule processed because VM2 in Subnet 1
          • Since VM2 has no NSG associated with interface all traffic received through NSG1 or denied all traffic by NSG1
          • Traffic either allowed or denied to all resources in same subnet when NSG is associated with subnet
        • VM3
          • No NSG associated with Subnet2 – traffic allowed into subnet and processed by NSG2 as it’s associated to interface attached to VM3
        • VM4
          • Traffic allowed to VM4 since NSG isn’t associated to Subnet3 or interface of virtual machine
          • All traffic allowed through a subnet & interface if they doesn’t have NSG associated
      • For outbound traffic Azure processes rules in NSG associated with interface first then subnet (if there is one in both cases)
        • VM1
          • Security rules in NSG2 processed Unless security rule denying port 80 out to internet, then the AllowInternetOutbound default rule allows traffic in both NSG1 and 2
          • If NSG2 has rule denying port 80 traffic is denied and NSG1 never evaluates
          • To deny port 80 from VM either/or both of NSGs must have rule denying 80 or internet
        • VM2
          • All traffic sent through interface to subnet since interface is attached to VM2 doesn’t have NSG associated
          • NSG1 rules are processed
        • VM3
          • If NSG2 has rule denying 80 traffic denied
          • If NSG2 has rule allowing port 80 allowed out to internet since NSG isn’t associated to Subnet2
        • VM4
          • All traffic allowed from because NSG isn’t associated to network interface on VM or Subnet3
  • Application Security Groups
    • ASG enables configuration of network security as natural extension to apps structure
    • Allows grouping VMs and defining network security policy on these groups
    • Can reuse security policy at scale without manual maintenance of IP addresses
    • Platform handles complexity of IP addresses and multi rule sets
    • Create rules using service tags/ASG’s and avoid rules with individual Ips or ranges to minimize security rules needed
  • Filter network traffic with an NSG using Azure Portal
    • Use NSG to filter Rx/Tx from VNet
    • NSG contain security rules filtering traffic by IP, port, protocol and are applied to resources in a subnet
    • Key stages to filter traffic with NSG
      • Create Resource Group
      • Create VNet
      • Create App Security Groups
      • Create Network Security Groups
      • Associate NSG with subnet
      • Create security rules
      • Associate NICs to an ASG
      • Test filters
    • More detailed steps see MS Learn site: Tutorial: Filter network traffic with a network security group using the Azure portal
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-deploy-network-security-groups-by-using-the-azure-portal/

Leave a Reply

Your email address will not be published.