Network Security Groups (NSG)
-
Azure NSG helps in filtering the network traffic to and from Azure resources in Azure vnet.
-
NSG contains security rules that allow or deny inbound network or outbound network traffic.
-
Each security rule we will be specifying
- Name: this is name of security rule
- Priority: number ranging from 100 to 4096, lower the number higher the priority
- Source or destination: Any or individual ip or cidr range of source/destination you want to filter
- Protocol: TCP, UDP, ICMP or ANY
- Direction: Inbound or Outbound
- Port range: you can specify individual ports like 80 or 22 etc and you can also specify ranges 8000-8090 or * (all)
- Action: Allow or deny
-
NSGs can be applied at VM (Network interface) or at subnet level.
-
Basic overview on vnet with nsg’s
-
NSG will have security rules
- Inbound security
- Outbound security rules
-
When we create NSG Default security rules are as follows
Inbound
AllowVNetInBound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65000 VNET 0-65535 Vnet 0-65535 Any Allow
AllowAzureLoadBalancerInBound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65001 ALB 0-65535 0.0.0.0/0 0-65535 Any Allow
DenyAllInbound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Allow
Outbound
AllowVnetOutBOund
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65000 VNET 0-65535 Vnet 0-65535 Any Allow
AllowinternetOutBound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65001 0.0.0.0/0 0-65535 Internet 0-65535 Any Allow
DenyAllOuBound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Deny
- Considering This lets assume someone from internet is trying to connect to your vm using ssh (22/TCP) from public internet and your vm has public ip
you are accessing vm from public internet on port 22
65000 => IS source vnet ? no
65001 => Is source ALB ? no
65500 => Is source 0.0.0.0/0 yes, access is deny (so your packet will be dropped)
- Consider the above nsg and lets assume a vm within same vnet is trying to communicate to your vm on port 80 will this be allowed?
* 65000 is source matching => yes Access is Allowed
So your packet will be sent to nsg
- Lets create a sample nsg with following rules
Inbound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
300 0.0.0.0/0 0-65535 0.0.0.0/0 22 TCP ALLOW
310 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any DENY
Outbound => Default
* User from public internet is trying to connect to your machine using http (TCP/80)
```
300 => any ip but port is 22 (so it doesnt match the description)
310 => deny
```
- NSG Rules
Inbound
Priority Source Source-Ports Dest Dest-Ports Protocol Access
240 40.20.23.8/32 0-65535 0.0.0.0/0 0-65535 Any DENY
250 35.25.0.0/24 0-65535 0.0.0.0/0 0-65535 Any ALLOW
300 0.0.0.0/0 0-65535 0.0.0.0/0 22 TCP ALLOW
310 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any DENY
Outbound => Default
* An employee from your org with ip address 35.25.0.8 is trying to use RDP (TCP/3389) will it work
- Best practices while writing nsg
- Allows leave some room on the top (don’t start 100 priority) bcoz in future if you want to stop attacks you might need to write stop rules on the top
- Allow leave some number between priorities atleast leave 10 numbers in b/w for future usage.
Creating NSG from Azure Portal
- Refer the below images
Exercise
- Configure Azure CLI and Powershell Watch Here
