| Category | |
| Azure NSG – Blog No 2 | |
| Time to Read | |
| 15 Minutes | |
| Who should read this blog? | |
| If you want to configure NSG |
Preface
In our previous blog, I discussed Azure NSG as a concept. In this blog, I will show how we can configure the NSG step by step.
Configuring NSG through Azure Portal
- Go to Azure Portal and type NSG in the search box.
- Select Network Security Groups and click on Create button –
- Fill in the details as given below and click on Review + Create ( This will skip the Tags configuration page). However, if you want to add the tags to your NSG you may click the Next button
- Your first NSG is ready. This is how it looks ( NSG Name changed to Spoke-win-vm01-nsg) –
Security Rules
There are two types of security rules – Inbound Security rules and outbound Security rules. This has been covered in my previous blog in detail.
Each Security rule has a Name, Priority, Port, Protocol, Service, Source, Destination, and Action associated with it.
Both Inbound and Outbound Security rules have a list of rules under them. There are 3 default preconfigured rules with Priority 65000, 65001, and 65500 under Inbound and Outbound Security rules.
These default rules can not be modified or deleted.
However, you can create a custom rule on top of these rules using low-priority values. Refer to the below image for how can you add a custom rule either under the Inbound Security rules or Outbound Security rules. I will add a custom rule under the Inbound Security rules. The same procedure can be followed for Outbound Security Rules
Go to Inbound Security rules and click on Add button.
Once you click on Add button a new configuration window pops up where you can define the name, the rule priority, the source and destination port, Protocol, Source and Destination IP address, and the action( allow or deny ) for this traffic flow.
Let’s understand each field in detail
Source
Below options are available to select under the source Field –
- Any – this option will select traffic with any source IP address.
- IP Addresses – Under this selection, you may define either a single IP address, a CIDR, different network prefixes separated by a comma, or a combination of ipv4 and ipv6 addresses.
Examples –
- My IP address – this option will automatically populate your machine’s Public IP address.
- Service Tag – Azure has a lot of cloud service offerings, if you want to allow or deny traffic to these services, you may use the Service Tag option. the reason is these services use a range of dynamic IP addresses. Service Tag makes it easier for customers as they don’t have to add the whole range of IP addresses or make a change when there is a change in the IP address range. For example below if I add the Source service tag Internet. I am selecting all the internet IPs under the source field. Without the service tag, adding all the internet IP ranges would have been an uphill task. To know all the available Azure services as service tags refer here
- Application Security Group – Application Security Groups are just like Service tags but they are created by users to create logical groupings of virtual machines or services that you can reference in your network security group rules. For example under a virtual network, if you have 20 web servers and 30 database servers, you may create 2 ASGs one for only Web servers and another for database servers. To learn more refer here
Source port ranges
Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. This specifies on which ports traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic on any port.
Destination
Under the destination field, we may select Any, IP Addresses, Service Tag, and Application security group and they are similar as explained above.
Service
Services are the Layer 7 services available like – HTTP/HTTPS, SSH, and RDP. These services have a default port like HTTP has a default destination port of 80. As you select a service the destination port ranges field is auto-filled with the default port for that service.
But many a time applications are configured to listen on custom ports for security reasons. Like HTTP service can also be configured to listen on the 8080 port. In those cases use the Custom option under the service field.
Protocol
You can choose the protocols over which your application will be allowed. i.e. TCP, UDP, ICMP, and Any.
Action
Action if you want to allow or deny matching traffic.
Priority
Priority is the value that determines how the rules will be evaluated. The lowest priority value sits on the top and will be evaluated first followed by the priorities in increasing order.
To add a first custom rule under each inbound and outbound security rule you will get the option to give a minimum priority value of 100 and a maximum of 4096. Any value outside this range will not be accepted while adding the first custom rule.
Name and description
It is needless to say a properly defined name and description will help you and your team use that specific NSG rule.
Inbound security rules after custom rule addition
We added 2 custom rules with priority 300 and 320 which allows RDP and SSH traffic and can be seen below-
Default Rules
It is very important to understand the default rules as you add the custom rules if you want to modify the default rules
Inbound Security Rules
- Rule 65000 – Allows any VM or service to another VM or service within the virtual network or peered virtual networks. It included the prefixes of peered virtual networks too.
- Rule 65001 – This rule is for Azure load balancer health probes. If you have an Azure load balancer in your virtual network. Make sure this rule is not overridden by any custom rule.
- Rule 65500 – This is an implicit deny rule.
Outbound Security Rules
- Rule 65000 – Allows any VM or service to another VM or service within the virtual network or peered virtual networks. It included the prefixes of peered virtual networks too.
- Rule 65001 – This rule is for any outbound internet traffic. This rule will ensure that your VM or service has internet outbound access. Make sure this rule is not overridden by any custom rule otherwise internet access to your VM/Service might be impacted.
- Rule 65500 – This is an implicit deny rule.
Conclusion :
In conclusion, configuring Network Security Groups (NSGs) is a critical step in securing your virtual networks and applications in Azure. By setting up NSG rules, you can restrict traffic and protect against potential threats to your cloud environment. With the step-by-step guide we have provided, you can easily configure NSGs to improve your cloud security posture. Remember to regularly review and update your NSG rules to ensure that your security remains effective and up-to-date. By implementing NSGs, you can have peace of mind knowing that your cloud infrastructure is protected.
