Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 5: Deploy Network Security Groups by Using the Azure Portal
NSG in Azure allows filtering network traffic to/from Azure resources in a VNet. NSG contains security rules to allow/deny inbound traffic to, or outbound from several types of resources. Each rule specifies source/destination, port, protocol.
- NSG Security Rules
- NSG contains zero, or as many rules as you want, within subscription Limits
- Each rule has a series of properties
- Name
- Must be unique within NSG
- Priority
- Number between 100-4096
- Processed in order with lower number handled first
- Once traffic matches rule processing stops
- SRC or DST
- Can be set to
- Any
- Individual IP
- CIDR block
- Service tag
- App security group
- Can be set to
- Protocol
- TCP
- UDP
- ICMP
- ESP
- AH
- Any
- Direction
- Rx
- Tx
- Port Range
- Individual Port
- Range of Ports
- Action
- Allow
- Deny
- Name
- FW evaluates rules using source, source port, dest, dest port, protocol
- Default security rules
- (Table below from MS Learn)
- Deployment scenario examples based on diagram below (Diagram from MS Learn)
-
- For inbound traffic Azure processes rules in NSG associated to subnet first (if exists), and then rules in NSG associated to interface (if exists)
- VM1
- Subnet1 associated with NSG1
- Security rules are processed
- VM1 is in Subnet1
- Unless rule created that allows port 80 in, the DenyAllInbound default rule denies the traffic
- In this case never evaluated by NSG2 as it’s associated to network interface
- If NSG1 has rule allowing port 80, NSG2 then processes traffic
- To allow port 80 to VM both NSG1 and NSG2 must have rule that llows port 80 from inet
- VM2
- NSG1 rule processed because VM2 in Subnet 1
- Since VM2 has no NSG associated with interface all traffic received through NSG1 or denied all traffic by NSG1
- Traffic either allowed or denied to all resources in same subnet when NSG is associated with subnet
- VM3
- No NSG associated with Subnet2 – traffic allowed into subnet and processed by NSG2 as it’s associated to interface attached to VM3
- VM4
- Traffic allowed to VM4 since NSG isn’t associated to Subnet3 or interface of virtual machine
- All traffic allowed through a subnet & interface if they doesn’t have NSG associated
- VM1
- For outbound traffic Azure processes rules in NSG associated with interface first then subnet (if there is one in both cases)
- VM1
- Security rules in NSG2 processed Unless security rule denying port 80 out to internet, then the AllowInternetOutbound default rule allows traffic in both NSG1 and 2
- If NSG2 has rule denying port 80 traffic is denied and NSG1 never evaluates
- To deny port 80 from VM either/or both of NSGs must have rule denying 80 or internet
- VM2
- All traffic sent through interface to subnet since interface is attached to VM2 doesn’t have NSG associated
- NSG1 rules are processed
- VM3
- If NSG2 has rule denying 80 traffic denied
- If NSG2 has rule allowing port 80 allowed out to internet since NSG isn’t associated to Subnet2
- VM4
- All traffic allowed from because NSG isn’t associated to network interface on VM or Subnet3
- VM1
-
- (Table below from MS Learn)
- Application Security Groups
- ASG enables configuration of network security as natural extension to apps structure
- Allows grouping VMs and defining network security policy on these groups
- Can reuse security policy at scale without manual maintenance of IP addresses
- Platform handles complexity of IP addresses and multi rule sets
- Create rules using service tags/ASG’s and avoid rules with individual Ips or ranges to minimize security rules needed
- Filter network traffic with an NSG using Azure Portal
- Use NSG to filter Rx/Tx from VNet
- NSG contain security rules filtering traffic by IP, port, protocol and are applied to resources in a subnet
- Key stages to filter traffic with NSG
- Create Resource Group
- Create VNet
- Create App Security Groups
- Create Network Security Groups
- Associate NSG with subnet
- Create security rules
- Associate NICs to an ASG
- Test filters
- More detailed steps see MS Learn site: Tutorial: Filter network traffic with a network security group using the Azure portal