Azure Classroom Series – 28/Mar/2021

Application Security Groups (ASG)

  • ASGs help to manage security of virtual machines by grouping them according to the applications that run on them Preview
  • So lets try this sample
    • Create a virtual with 4 subnets
      • subnet1
      • subnet2
      • subnet3
      • subnet4 Preview
    • Create 3 ASG (WebServers, AppServers, DbServers) Preview Preview Preview
    • Now lets create a NSG which allows
      • traffic from anywhere in to webservers on port 80,22
      • traffic from webservers to appserver on port 8080
      • traffic from appservers to dbservers on port 3306/1433
      • allow ping with same restrictions
      • deny the rest of the traffic Preview Preview Preview
    • Create 3 linux vms in any subnets of your choice
      • Create a linux vm for webserver functionality and once the vm is created then navigate to the networking section and configure this vm as webserver Preview Preview Preview Preview Preview Preview
      • Create one more linux vm in any subnet and configure this vm as AppServer in the ASG Section
      • Create one more linux vm in any subnet and configure this vm as DbServer in Asg section
      • for the all vms use the same network security group

Scenario:

  • Create two vnets in two different resource groups (two different locations) as shown below Preview
  • Create a resource group Preview Preview Preview Preview Preview Preview
  • If we create vms in two different vnets they can communicate over public ip but that uses internet. Our requirement is to enable communication b/w two vnets over private ip addresses
  • Enabling private communication b/w virtual networks in Azure is referred as vnet peering
  • Now lets create one vm in network1 and one vm in network2 Preview Preview Preview Preview
  • Once the vm’s are created, try to login into one vm and then try to login from that vm in network to network2 using private ip address Preview Preview
  • There is no private connectivity. Now lets navigate to the network1 and select peering Preview Preview Preview Preview Preview
  • Now lets try to login back using private ip address which failed earlier Preview Preview
  • Ideally you should make changes in the nsg to allow the communication from the cidr range of network1 in network and viceversa

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin