Azure Network Security groups
- Azure Network Security Groups (NSG) can be used to filter network traffic to azure resources
- NSG contains security rules that allow or deny in bound traffic and outbound traffic
- In the last class we have created a vm where we were able to http://publicip but not http://publicip:8080. NSG was denying the access
- Every NSG has security rules. Each Security rule has the following properties
- Name
- Priority: This is number b/w 100 and 4096
- Source: Individual IP or Any or cidr range of the source
- Destination: Individual IP or Any or cidr range of the destination
- Protocol: TCP, UDP, ICMP or Any
- Direction: Inbound or outbound
- Port Range: Which ports you want to apply the traffic to
- Action: allow or deny
- Lets create a network security group in Azure
- Create a resource group
- Create a nsg
- The NSG which we create already has some security rules which are referred as default security rules
- These default security rules
- allows all of the traffic outbound (from Azure Resource to anywhere)
- allows all of the traffic within virtual network inbound (b/w azure resources in a vnet)
- allows all communication from AzureLoadbalancer to Azure resource in a vnet
- Exercise: Create a network security group which
- allows ping and http (tcp port 80 ) communication from any where
- allow tcp port 3306 from 100.120.200.220
- denies tcp port 3306 from anywhere
- Next steps?
- Whey space in numbering in rules
- nsg can be applied to subnets as well
- consider one enterprise architecture and design nsg
