Azure Classroom Series – 14/Jul/2020

Network Security Groups (NSG)

  • Azure NSG helps in filtering the network traffic to and from Azure resources in Azure vnet.

  • NSG contains security rules that allow or deny inbound network or outbound network traffic.

  • Each security rule we will be specifying

    • Name: this is name of security rule
    • Priority: number ranging from 100 to 4096, lower the number higher the priority
    • Source or destination: Any or individual ip or cidr range of source/destination you want to filter
    • Protocol: TCP, UDP, ICMP or ANY
    • Direction: Inbound or Outbound
    • Port range: you can specify individual ports like 80 or 22 etc and you can also specify ranges 8000-8090 or * (all)
    • Action: Allow or deny
  • NSGs can be applied at VM (Network interface) or at subnet level.

  • Basic overview on vnet with nsg’s Preview

  • NSG will have security rules

    • Inbound security
    • Outbound security rules
  • When we create NSG Default security rules are as follows

Inbound

AllowVNetInBound
Priority Source  Source-Ports Dest Dest-Ports  Protocol Access
65000    VNET     0-65535     Vnet   0-65535    Any      Allow

AllowAzureLoadBalancerInBound
Priority Source  Source-Ports Dest      Dest-Ports  Protocol Access
65001    ALB     0-65535      0.0.0.0/0  0-65535    Any      Allow

DenyAllInbound
Priority Source       Source-Ports Dest      Dest-Ports  Protocol Access
65500    0.0.0.0/0     0-65535      0.0.0.0/0  0-65535    Any      Allow

Outbound

AllowVnetOutBOund
Priority Source  Source-Ports Dest Dest-Ports  Protocol Access
65000    VNET     0-65535     Vnet   0-65535    Any      Allow

AllowinternetOutBound
Priority Source    Source-Ports Dest      Dest-Ports  Protocol Access
65001    0.0.0.0/0  0-65535     Internet   0-65535    Any      Allow

DenyAllOuBound
Priority Source       Source-Ports Dest      Dest-Ports  Protocol Access
65500    0.0.0.0/0     0-65535      0.0.0.0/0  0-65535    Any      Deny

  • Considering This lets assume someone from internet is trying to connect to your vm using ssh (22/TCP) from public internet and your vm has public ip
you are accessing vm from public internet on port 22

65000 => IS source vnet ? no
65001 => Is source ALB ? no
65500 => Is source 0.0.0.0/0 yes, access is deny (so your packet will be dropped)
  • Consider the above nsg and lets assume a vm within same vnet is trying to communicate to your vm on port 80 will this be allowed?
* 65000 is source matching => yes Access is Allowed
So your packet will be sent to nsg
  • Lets create a sample nsg with following rules
Inbound
Priority  Source       Source-Ports   Dest        Dest-Ports  Protocol Access
300      0.0.0.0/0      0-65535       0.0.0.0/0    22          TCP      ALLOW
310      0.0.0.0/0      0-65535       0.0.0.0/0    0-65535     Any      DENY

Outbound => Default
* User from public internet is trying to connect to your machine using http (TCP/80)
```
300 => any ip but port is 22 (so it doesnt match the description)
310 => deny
```
  • NSG Rules
Inbound
Priority  Source       Source-Ports   Dest        Dest-Ports  Protocol Access
240      40.20.23.8/32  0-65535       0.0.0.0/0    0-65535     Any      DENY
250      35.25.0.0/24   0-65535       0.0.0.0/0    0-65535     Any      ALLOW
300      0.0.0.0/0      0-65535       0.0.0.0/0    22          TCP      ALLOW
310      0.0.0.0/0      0-65535       0.0.0.0/0    0-65535     Any      DENY

Outbound => Default
* An employee from your org with ip address 35.25.0.8 is trying to use RDP (TCP/3389) will it work 
  • Best practices while writing nsg
    • Allows leave some room on the top (don’t start 100 priority) bcoz in future if you want to stop attacks you might need to write stop rules on the top
    • Allow leave some number between priorities atleast leave 10 numbers in b/w for future usage.

Creating NSG from Azure Portal

  • Refer the below images Preview Preview Preview Preview

Exercise

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin