Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE

January 20, 2017 10:18AM

In my earlier blog POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL I wrote on how to export NSG (Network Security Group) in CSV excel file using powershell, which can be used later to create new NSG using same rules or editing CSV file. NSG is nothing but a Virtual Firewall containing Inbound and outbound rules (ACLs). It is as similar as Microsoft Windows Firewall rules under control panel. New NSG is automatically created while creating new Azure Virtual Machine.

Network Security Groups can be associated to either VM Nic card or vNet (Virtual Network) subnets. To simply demonstrate I have below VISIO diagram, I have 2 Azure Virtual Machines, both are in same vNet subnets hosting IIS web server, I have applied one NSG to Azure Virtual Network subnet with Inbound rule allowing only Port 80 for HTTP to everyone from outside.

Next blog article MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

 1. Microsoft Azure, NSG, network security group, Inbound firewall rule 80 http, vnet, virtual network.png

In another scenario, Most likely diagram is same but instead of attaching NSG to Virtual Network, I have created 2 separate NSGs and attached them to individual VM Nics with only required ports, Here I have 2 VMs with different OS flavors, and need to open only required ports on the different NSG for remote management for example On windows RDP 3389 and Linux SSH 22. Unlike above diagram I have applied NSG to VM directly, and can control Firewall ACLs per VM. It also gives me control which IP or Network can access the VM, Same rule can be created for Outbound rule as well. 

It is also possible to attach single NSG (Network Security Group) to multiple VMs. But per VM Nic or vnet subnet can have only one NSG resource.

2. Microsoft Azure, NSG, network security group, Open Inbound firewall rule 80 http,rdp 3389 linux, 22 ssh windows, vnet, virtual network.png

Whenever virtual machine is created one NSG is automatically created and attached to the respective VM. here Instead I will be creating NSG manually first and associate it with VM later. Open Resource Group, Click +Add button. 

Microsoft Azure Add new resource NSG Network Security Group in Resource group vcloud-lab.com

Search filter for Network Security group in the list and select it to create new one, There are many other third party Firewalls appliances also available in the list. 

Microsoft Azure create Add new resource manager firewall layer NSG Network Security Group in Resource group barracuda vcloud-lab.com

Provide Network Security Group some name, Once NSG is created and it will be reflected on Resource Group after refresh. Currently NSG is created but there are no rules in it. Click NSG to create new rules. 

Microsoft Azure newly created refresh resource Group NSG Network Security Group

There are two types of security rules we can create Inbound and Outbound. I will be creating Inbound (Incoming) rule only in this lab and enabling 3389 windows RDP port. 

Microsoft Azure NSG Network Security Group add Inbound security rules Firewall, Priority, Firewall Source destination, TCP UDP Ports

Once rules are created and refreshed page, rules will be visible in the list. 

Priority: Rules are processed in priority order; the lower the number, the higher the priority. For better design Microsoft recommends leaving gaps between rules - 100, 200, 300 etc. so it's easier to add new rules without having to edit existing rules. Also firewall rules priority must be between number range 100 and 4096.
Source: This the computer from where you will try to connect to Azure VM. * is equal to any, (Here you can mention single IP, or IP range) The source filter can be any, an IP address range, or a default tag. It specifies the incoming traffic from a specific source IP address range that will be allowed or denied by this rule.
Destination: This is the Azure VM. It specifies the outgoing traffic for a specific destination IP address range that will be allowed or denied by this rule.
Service:  This is port number (TCP, UDP or both), This specifies the destination protocol and port range for this rule. You can choose a predefined service, like RDP or SSH, or provide a custom port range.
Action: Can be either Allow or Deny.

Microsoft Azure NSG Network Security Group add Inbound security rules Firewall, Priority, Firewall Source destination, TCP UDP Ports advanced basic, port range allow deny, service

Same way Outbound NSG rule can be created. it will allow or deny (block) traffic leaving from VM. Here is the screenshot while creating new virtual machine, I can attach existing firewall network security group to to it. if VM has multiple network card, you can assign one NSG per NIC card. 

Microsoft Azure attaching or associating existing NSG Network Security Group on virtual machine vm in Settings Configure optional features choose firewall

You can create Virtual Machine VM without NSG policy defined or NSG can be attached to VM Nic later with below steps, under Resource group, select Network interface, and attach the NSG in Network security Group as shown.

Microsoft Azure deploy virtual network interface, attach assoicate existing network security group NSG to virtual machine vm

Here is another example NSG can be applied associated to Virtual Network (vNet) Subnet.

Microsoft Azure create new NSG, network security group attach, associate add it to vnet virtual network subnets

In this Visio, this is how Security rules works. Lower number of the priority, it will have higher precedence. In Inbound security rules Source is the computer who will be initiating connection, and in Destination will be remote computer (Azure) in most cases, on the Outbound Security rule below scenario will become complete opposite, Source will be Azure VM who is want to communicate on Destination remote computer (That can also be a Azure VM).

Microsoft Azure, Inbound and outbound firewall security rules, explained priority, Source and destination, allow deny

In the last, just for information, there are 3 default rules under every NSG (Inbound and OutBound both), They cannot be modified or deleted. in the list Last rule is Deny all traffic with least priority. upon that VMs or resources in Virtual network and Azure load balancers are allow to connect with higher priority than DenyAllinbound.

Microsoft windows Azure nsg, network security group, inbound and outbound default security rules cannot be modified

Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

Go Back

You can add how to do an example ACLs enable IP from providers so they can use RDP and deny all



Comment