Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network

Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network 3 comments

Now Days I see that people not fully understand the security needs in Azure. There are a lot of options in Azure to improve the security.

A great option is the Security Center. This is a great dashboard to get a quick over view an the security status of your subscription.

But the other Option is setting up a network security group (NSG)

A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Associating NSGs

You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

VM (classic only): Security rules are applied to all traffic to/from the VM.
NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

Inbound traffic
1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.
2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.
Outbound traffic
1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.
2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.

Creating a network security group (NSG) is easy you can do this in the portal or with Powershell

As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)

By default all is set to basic just pick a service and open or close the port.

But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.

Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.

Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.

Below are just some examples on how to use them

Login-AzureRmAccount

# Select a subscription
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title ‘Select your Azure Subscription:’ -PassThru)
Select-AzureRmSubscription -SubscriptionId $subscriptionId.Id

# Select a Resource Group
$rgName = (Get-AzureRmResourceGroup | Out-GridView -Title ‘Select your Azure Resource Group:’ -PassThru).ResourceGroupName

# Set the NSG name and Azure region
$nsgName = "Trusted-Nsg01"
$location = "West Europe"
$source1 = "8.8.8.8/32"
$source2 = "8.8.4.4/32"
$source3 = "*"
$dest1="3389"
$dest2="443"
$dest3="80"
$tag="blog"

#Below are Sample Rules
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix $source1 -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange $dest1

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule2 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
-SourceAddressPrefix $source2 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest2

$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule3 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
-SourceAddressPrefix $source3 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest3

$rule4 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule4 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 88

Now that the port Rules are created we need to put them in a security group

#applying the Rules
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName -SecurityRules $rule1,$rule2,$rule3,$rule4

# Display default and security rules for NSG

(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).SecurityRules | Select-Object * | Out-GridView
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).DefaultSecurityRules | Select-Object * | Out-GridView

#Remove NSG

Remove-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName

Now that we created a network security group (NSG) we can add it to a VM this can also be done with PowerShell but there is a BUT.

let me show you, Go to the VM and select the network card.

The Nic can be named nic245768323 something, I always use named NIC’s so that is easy but if not the NSG could be applied on an other VM and maybe it will fail.