Network Security Groups (NSGs)
-
NSGs contain sets of rules that allow or deny specific traffic to specific resources or subnets in Azure
-
NSG can be associated to a Network Interface (NIC) or subnet
-
Lets create a simple nsg
-
NSG has set of rules, Each rule has a priority. Rules with higher priority have lower priority number (Lower the Priority number higher will be its priority)
-
Every rule has
- priority (lower the number higher the priority): Range is between 100 and 4096
- source: For inbound source is where the network packet is arriving from. Azure gives options for
- Any (Anywhere)
- IpAddress (Specific IP Ranges)
- Service Tag
- Application Security Group
- source port range: From which port is the traffic generated on source
- Destination: Where the network packet is travelling
- Destination Port Ranges: Port on which the network packet is reaching
- Protocol:
- TCP
- UDP
- ICMP
- Action: Allow /Deny
- Name:
- Description
-
Lets try to write a rule which allows http and ssh communications from internet, all communication with vnet are allowed rest are denied
-
Now lets attach this to web subnet
-
Now lets create a nsg for app subnet which allows communication only from web subnet for incoming.
-
While creating the vm the nsg gets created and associates with network interface.
-
Exercise: Create a vnet as mentioned in the below architecture
- Diagram
- Web Subnet, Management should be accessible from any where (including internet) => Create an NSG
- Business subnet should be accesible to Web & Mgmt
- Data subnet should be accessible to Business & Mgmt
- AD subnet should be accessible to all other subnets not internet
- Diagram