Network Security Groups (NSG)
- NSG’s can be attached to Network Interface and also to subnets
- NSG’s have two types rules
- incoming/inbound (ingress)
- outgoing/outbound (egress)
- Rules have a number which defines priority. Lower the number higher the priority
- NSG’s have default rules
-
Each rule will have
- Priority:
- Port: port no
- Protocol:
- TCP
- UDP
- ICMP
- Source:
- Destination: Will have similar options as Source
- Action: Allow or Deny
-
IpAddress in source of destination we will be giving CIDR Ranges. This works on the basis of network id
- specific network: 10.10.0.0/16
- specific ip address: 100.100.100.100/32
- Any ip address: 0.0.0.0/0
-
Best Practices:
- Start NSG Rules from numbers such as 300 (but not 100)
- Between rules have some numbers left
Scenario 1: Create NSG For the below
- Overview
- Web NSG:
- App NSG: it should allow only internal communication with in vnet & no connectivity from internet. That is what we get as default rules in NSG
- DB nsg: deny incoming from web subnet
Scenario 2: Create NSG For the the below
- Overview
- Web server runs on port 443 (TCP)
- app server runs on port 5000 (TCP)
- db server run on port 3306 (TCP)
- Allow 22 port communication from any ip with in network for web,app,db servers.
Exercise
- Test by creating 3 vms in network
