How to manage Network Security Groups (NSG) in Azure

Share this:

Microsoft Azure allows the administrator to control the traffic in subnets using the Network Security Group (NSG) feature. In this Tutorial we are going over the basics and we will be creating, associating and adding rules to the NSG component.

Solution


For any new VM created in a subnet we will have by default these following network rules:

  • Traffic among subnets is allowed (no restrictions)
  • The VM will have RDP (using a random port) and PowerShell as shown in the image below
  • All VMs can access the Internet

image

A NSG can be applied to a subnet, or even a VM, however for this Tutorial we are going to apply to a subnet. Let’s use the following network scenario in our Tutorial were we have a subnet called AP-DMZ and we are going to deploy a few ADFS Proxy servers on that subnet.

image[11]

You may be wondering, what is the difference between endpoint ACLs and NSGs, so the answer is simple the endpoint ACLs are applied only to the inbound traffic using the Public IP. Using NSG we can control inbound and outbound traffic.

How to create a NSG…

The first step is to connect to Windows Azure using PowerShell, if you don’t remember how to do this, please check this Tutorial out:

All NSG management is done through Powershell at this point, so from now on all the configuration will be done using PoweShell.

In order to create a NSG we just need to specify a name, datacenter location, and a label. The following cmdlet can be used:

New-AzureNetworkSecurityGroup –Name <nome-do-NSG> –Location <Local-do-Azure-Datacenter> –Label “ADFS Proxy DMZ NSG”

image[2]

Associating a subnet…

In order to list all NSGs, we can run Get-AzureNetworkSecurityGroup and we can use piple “|” to associate the NSG to a specific subnet.

In the example below we are associating our subnet AP-DMZ to the new NSG that we have just created:

Get-AzureNetworkSecurityGroup –Name <NSG-Nome> | Set-AzureNetworkSecurityGroupToSubnet –VirtualNetworkName <Azure-NetworkName> –SubnetName <Subnet-Nome>

image[5]

After associating a default NSG to a subnet all the existent endpoint will not work anymore, if you need to enable RDP or PowerShell they must be enabled at the NSG level using rules.

Creating a NSG rule…

Every NSG rule has a priority and they are applied from lower numbers to higher numbers. A rule is formed of several items (9 in total), such as: name, type, priority, souce ip address, source port range, destination ip range, destination port range, protocol, and access.

Using the following cmdlet we will allow 443 incoming traffic in our NSG:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-Internet-HTTPS -Type Inbound –Priority 100 –Action Allow –SourceAddressPrefix “INTERNET” –SourcePortRange * -DestinationAddressPrefix “10.190.6.0/24” –DestinationPortRange 443 –Protocol TCP

Another example is listed below, in this one we are allowing RDP traffic from Windows Azure/On-premises network to our AP-DMZ subnet:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-LAN-RDP-Type Inbound –Priority 120 –Action Allow –SourceAddressPrefix “VIRTUAL_NETWORK” –SourcePortRange * -DestinationAddressPrefix “10.190.6.0/24” –DestinationPortRange 3389 –Protocol TCP

How to check the existent rules…

After creating all your rules you may have to maintain and document them. Using the following cmdlet we will have in a single glance all the rules in place for either inbound or outbound traffic.

Get-AzureNetworkSecurityGroup -Name “AZNA-NSG-DMZ” –Detailed

image[8]

NSGs are a great resource to create DMZ and protect subnets in general when using Microsoft Azure.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Resetting DNS changes at adapter level in Microsof... Microsoft Azure IaaS (Infrastructure as a Service) is picky when it comes to change DNS and network adapter settings at the VM level. Solution If f...
Using Diagram feature in Azure Portal How to use the diagram feature in the Microsoft Azure Portal (Azure Resource Manager). Solution It reminds me of System Center Operations Manager, ...
Managing the Password Synchronization in DirSync In this Tutorial we will check how to manage the Password Synchronization feature in the Windows Azure Active Directory Synchronization Tool. Solution...
Microsoft Azure Internal Load Balancer Creating a ILB (Internal Load Balancer in Microsoft Azure. Using Microsoft Azure the administrator has two built-in Load Balancers which are: Internet...