This week I had an opportunity to implement Network Security Groups(NSG) in Microsoft Azure for a customer and thought I’d share the experience. For those that are unaware NGS’s are rule sets that can be applied to subnets and machines in Azure IAAS tenants, these groups act as access lists and are applied to the traffic entering and leaving the subnet/machine.
This allows for the separation of subnets and clients within the same vNet, NSG’s contain default rules that allow for traffic to flow back and forth within the vNet as well as outbound only to the internet.
The default rules included in the group have a low priority (a high number) assigned, this allows for custom rules to be created and used to block them if so desired. Whilst you can only have 1 NSG assigned to a subnet or machine each group can have 200 rules, which should be enough, I’d hate to be creating that many!
Like most firewall/acl rules you need to specify the direction of the traffic, the source, destination, port and whether it’s for TCP/UDP or both (you can not create rules for ICMP traffic) The source/destination can be either a specific IP address, a subnet, Internet, Virtual_Network (including your Azure IP networks and any onpremise connected via VPN) or Azure_LoadBalancer (to allow health checks if using Azure load balancing)
Firstly you need to create a group with a name and assign it to the correct Azure region, in addition you can assign it a label:
New-AzureNetworkSecurityGroup -Name “GroupName_NSG” -Location “North Europe” -Label “NSG Security Group”
Then you need to assign it to the network or machine, in this example we’re assigning it to a subnet:
Get-AzureNetworkSecurityGroup -Name “GroupName_NSG” | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName ‘my-vNet’ -SubnetName ‘Subnet_Name’
After the group has been created and assigned you can add your rules
Get-AzureNetworkSecurityGroup -Name “GroupName_NSG” | Set-AzureNetworkSecurityRule -Name “Allow_Inbound_internet_HTTPS” -Type Inbound -Priority 150 -Action Allow -SourceAddressPrefix ‘Internet’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘10.1.2.3’ -DestinationPortRange ‘443’ -Protocol TCP
Get-AzureNetworkSecurityGroup -Name “GroupName_NSG” | Set-AzureNetworkSecurityRule -Name “Deny_Outbound_internet” -Type Outbound -Priority 300 -Action Deny -SourceAddressPrefix ‘10.1.2.0/24’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘Internet’ -DestinationPortRange ‘*’ -Protocol *
TIP! – I found that the type variable was case sensitive and needed to be exactly Inbound or Outbound
TIP! – It is possible to use NSG’s assigned to subnets to block traffic between machines on the same subnet, be careful with your use of subnet masks!