Azure network security groups contd
- Why to leave numbers b/w security rules
- Security rules in nsg have priority from 100 to 4096.
- Generally its a good practice to leave some numbers b/w security rules. The reason for that is to accomodate changes in the future
- Consider this nsg
- now lets assume there is a DDOS attack from 110.100.100.202 and we need to stop that from nsg
- NSG can be applied to the subnet as well.
- Lets try to create the network, subnets and NSG for the architecture shown below
- Now lets try to create nsg rule for subnet Application Gateway
- So that only port 443 and 80 is allowed from internet
- Now lets apply this NSG to Application Gateway Subnet
- So that only port 443 and 80 is allowed from internet
- Now lets try to create a NSG for Management subnet which
- allows 3389 port from anywhere (ideally this would be your organization n/w range)
- allows 3389 port from anywhere (ideally this would be your organization n/w range)
- If there is contradicting rule one says allow and the other says deny in nsg associated with nic and nsg associated with subnet, deny always wins
- Lets look at this scenario
- Create a nsg rule for subnet3
- allow all connections from subnet1 cidr range
- deny all connections from subnet2 cidr range
- Now lets look at this scenario
- To solve this we need to take individual vm’s ip and then write rules, Azure supports some thing called as Azure Application Security groups which can largely simplify these kind of scenarios.
