So you want to know how to improve on your IaaS corporate security without having to dish out extra £££ on BYOL firewall services available from the Azure Market place?
Business Requirement: Please provide extra security for our Virtual Machines we have hosted in the Microsoft Cloud.
Resolution: I am going to implement an extra level of security using a Microsoft capability that was introduced around 2014 at TechEd Europe called Network Security Groups or NSGs.
Short Summary on NSGs
- NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port.
- An NSG has an associated name and associated to one or more virtual machines, role instances, Network adapters or subnets in a Virtual Network.
- NSGs are processed in order of priority
- A VM or a Subnet can only have 1 NSG applied to it
- Despite applying rules at a subnet layer what that means is each individual machine gets that rule. So denying all traffic means the machines would no longer be able to communicate between themselves.
Azure ACLs VS NSGs
So you already know about Access Control Lists in Azure so why use NSGs? ACLs can only be associated with Virtual Machine instances on the public port endpoint whereas NSGs as mentioned earlier can be associated with one or more virtual machines, role instances, Network adapters or subnets in a Virtual Network. So using NSGs offer further granularity, flexibility and capability than the primitive Azure ACLs.
The scenario is we have a Front end tier (DMZ), Middle tier and Backend tier each with their own subnet. Using NSGs we can create an outbound rule to allow traffic to the internet. We can deny traffic to the intenet from the other tiers. Then allow traffic from front end tier to Middle tier and not backend tier. we can allow traffic between backend and middle tier and vice versa and deny backend tier to front. I’ll create a diagram to support this in due course.
- NSG associations to subnets don’t get applied on the outside of the subnet. The rules get applied to all VMs inside the subnet so be ware when blocking virtual network traffic.
Found a useful video on NSGs – explains the basics
My preferred practice is to create an NSG per environment (e.g. Resource Group). So if you have Prod, PreProd and UAT then create an NSG per environment. Specifically i would create a single NSG for the DMZ layer also. So you can allow traffic within each environment or define rules within the environment from one subnet to the next. However if you wanted to manage traffic from the DMZ layer to Preprod, Prod you could be defining the rules in the DMZ NSG to the corresponding environment.
An NSG is subscription level and can associate to one or more VMs in regional vNETs. each Azure sub can have 100 NSG rules and each NSG rule can contain up to 200 rules which can be either in or outbound. You can apply an NSG to a VM or a vNET.
- 100 NSGs per Azure subscription
- One VM / Subnet can only be associated with One NSG
- One NSG can contain up to 200 Rules
- A Rule has characteristics as follow:
- Type: Inbound/Outbound
- Priority: Integer between 100 and 4096
- Source IP Address: CIDR of Source IP Range
- Source Port Range: Range between 0 and 65000
- Destination IP Range: CIDR of Destination IP Range
- Destination Port Range: Integer or Range between 0 and 65000
- Protocol: TCP, UDP or use * for Both
- Access: Allow/Deny
- Rules processed in the order of priority. Rule with lower priority is processed before rules with higher priority numbers.
NSG Cmdlet Example.
################ IMPLEMENTING NSGS IN AZURE ################$locName ="northeurope" $rgName ="NEURVNETRG" $vnet1name = 'MyVNetNE' $vnet1SubnetName = 'NE-DMZ'Switch-AzureMode AzureResourceManager#Create a security rule allowing access from the Internet to port 3389. $rule1 = New-AzureNetworkSecurityRuleConfig -Name nsg-dmz -Description "Allow RDP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389#Create a security rule allowing access from the Internet to port 80. $rule2 = New-AzureNetworkSecurityRuleConfig -Name web-rule -Description "Allow HTTP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80#Add the rules created above to a new NSG named NSG-DMZ $nsg = New-AzureNetworkSecurityGroup -ResourceGroupName $rgName -Location $locName -Name "NSG-DMZ" -SecurityRules $rule1,$rule2#Associate the NSG created above to the NE-DMZ subnet $vnet = Get-AzureVirtualNetwork -ResourceGroupName $rgName -Name MyVNetNE Set-AzureVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $vnet1SubnetName -AddressPrefix 10.193.128.32/28 -NetworkSecurityGroup $nsg#Save the new VNet settings to Azure Set-AzureVirtualNetwork -VirtualNetwork $vnet#Get Details of Network Secuirty group along with rules Get-AzureNetworkSecurityGroup -ResourceGroupName $rgName | fl *