So in this section we’ll be talking about network security groups. Now we already talked about the concept of Virtual Networks and how we create these networks. Inside of them are subnets. And running on subnets are devices such as Virtual Machines that have a network interface to get onto the subnet. So you’ve got Virtual Machine has a network interface. The network interface connects to the subnet and the subnet is of an overall Virtual Network. Now these devices that are connected to a Virtual Network communicate with each other over these Virtual Network paths. The network security group allows us to specify which type of traffic out and which type of traffic is blocked. It is basically an allow for letting traffic pass over the network.
Now the network security group can either be attached to the subnet or it can be attached to the network face. So if you think of this as being a tunnel, on one side is the Virtual Machine with a network space. On the other side of the tunnel is the subnet as a whole. You can put your network security group on either side of the tunnel. It’s still going to allow or block traffic traveling over that tunnel. So let’s take a look at this in action. So we have a Virtual Machine connected to this default subnet. The subnet has this address range. Now, if we go into the Virtual Machine, we can see the network interface. The network interface actually tells us in the summary section that there is a network security group attached to the network interface.
So in this instance is attached to the network interface. And if we go back to the subnet, then we don’t have any security group attached to the subnet. So in this instance, the CD is on the Virtual Machine side. Let’s go to the network security group. This was created when we created the Virtual Machine. So if we didn’t specify it, it create this new one for us. Going to go into it. Now, by default the network group has a number of rules. It splits the rules into inbound rules and outbounds. So you can look at this as being traffic coming into the Virtual Machine over that Virtual Network Interface card and traffic that’s leaving the machine. Let’s have a look. I’m going to go with inbound security rules tab here and we can look at them in a little closer detail.
So this is the default configuration. I have not added any other rules into the inbound security of this Virtual Machine. So by default it allows traffic to come from another machine running on the same network. So any port, any protocol over the Virtual Network is allowed to come into the machine. So by default, two Virtual Machines running on the same network are able to talk to each other. Okay, that makes sense. Also by default, if you have a load balancer running on this Virtual Network sitting in front of a virtual machine, then that load balancer is allowed to talk to the virtual machine. So again, any port, any protocol, this is the load balancer situation. All other traffic attempting to get into the virtual machine blocked. So this is the deny action. So other computers, the load balancer allowed, everything else blocked. What this means is if I was attempt to RDP into this computer from my desktop here, then I should this rule saying deny all inbound because I do not have the RDP port open inbound traffic. Why don’t we go ahead and add the RDP port for inbound? So I say add and what we want is source is going to be any for now, but ideally we want a source to be our network or our computer specifically. So I could actually say I only my computer if I did it got my IP address. So what is my IP address? I could limit the traffic that is coming in over this RDP port to my computer that is located at this address. If my idea was to change the IP address of my computer, then this would stop working.
I can do this in a CIDR configuration, so I can save 24 and that will cover all IP addresses from 00:55 in this case. And what we want to is basically send traffic to any destination so we don’t have a specific computer in mind. Although we could put the IP address or the public IP address of this computer, but we won’t. And the question then becomes which port? So the port RDP traffic is 3389. So that is the standard port for RDP traffic to go from over the network. P traffic is TCP, we might as well block off UDP traffic and we want to allow RDP traffic. Now, the priority works by the lowest number having the highest priority.
So you’ll see that the default rules are a very high number, 65,000 up to 65 500. And so we can set the priority. The default list was 100, I’ll set it to 1000 and we’re going to call this RDP traffic. And so, if I was to add this rule, because we put a source IP address, only computers on my network will be allowed to deport 3389 to any computer that is subject to this rule. And for now, this is again on the network Secure Network interface card. So it’s only that virtual machine that’s affected. I can do the same thing for Http and Https traffic. There’s another way of adding this.
This is set to the advanced by default. If I say basic, then I can choose from a drop down list for let’s say Https and you’ll see that it fills the ports in automatically. And I can call this https traffic we’ll let that add and similarly we can do the same thing for Http traffic. Okay, so this is Http traffic. Now, if we were doing this is for Windows, obviously the RDP port. If we were doing Linux we would have to add the SSH port which I believe is 22 but don’t quote me on that. So basically now allowed three traffic sources. Two of them are from any source IP address in the entire and one of them is just from the limited set of addresses on my ISPs work. Okay so that’s the inbound traffic rules. Let’s switch over to the outbound. The outbound is basically wide open.
So this rule is saying that from this computer, from this virtual machine it is allowed to talk to any other virtual machine on the same virtual network. Allowed. And it is also allowed to talk to the internet. So that is internet traffic. So basically any computer on this network and any computer on the entire internet all other outbound traffic is denied. But what other outbound traffic would there be besides the internet and other machines on this virtual network? So maybe if we would want to do VNet peering and have other computer other virtual networks but otherwise the outbound rules are pretty open, the inbound rules are pretty closed. Okay so that’s the basics of a network security group. We’re going to look at assigning this network security group to other virtual machines and to even to the subnet in the next video.
2. Implement Effective NSG Rules
So I’ve created a second virtual machine using the portal and we can see in the resource group that there are now two network security groups. So Azure creates you are security group. When you create VMs using the portal, it doesn’t even ask you or let you opt out of that, it will create one for you. But it is best practice to create network security groups that serve specific roles. If you have 100 virtual teams in your production environment, you definitely do not want 100 network security groups. Not only does that create extra clutter in your interface, it adds a security risk because how are you going to keep in touch with 100 different network security groups and what is allowed and what is not allowed? So, best practice is to create a role specific security groups.
And by that I mean if you have servers that serve as front end servers, you might need one set of network security group rules like the RDP, Https, traffic, et cetera. If you have back end servers, you might need different network security group rules, et cetera. So create network security groups that are specific to the role that the server is playing. Let’s go into network interfaces here and we can see here we’ve got this network security group by default, it’s only pointing to one virtual machine.
What I want to do is I want to connect the other network interface card that we just created. So let’s go back up to the resource group. We can see that we’ve got virtual machines being created, network faces. So one is seven, seven, three and one is seven, six, eight. We want this network interface to be connected to the other network security group and then we’ll delete the one that Microsoft created.
Go into the network interface actually. And we can see here that we’ve got a network security group set up here. If we go down to effective security rules, we can see that they’re basically going to calculate based on the NSG settings what security rules there are, right? So we can see the defaults here. What we want to do is associate this device with another network security group. So I’m going to go over to network security groups here on Cart, we’re going to say edit and instead of this network security group, we’ll switch over to the other one which we just customized. So you’ll see that I was able to switch and say save it’s, going to do some work to get that net interface card switched over to the new network security group that seems to have worked. And if I go back down to effective security rules, it’ll calculate it again. This time it should tell me the RDP, Https and Http rules because we’ve changed the rules on the Clear network card.
And so we can see that the active rules have been updated to have these additional rules. So now we have two VMs that are pointing to a single network security group. And now this network security group that’s upgraded for us should have no devices connected to it. So let’s go over to network interfaces. No results. Subnet says no results. So this is an orphan and we should be able to delete it. So that’s how you should be setting up your network secure. Make one never security group for each individual role. And that makes it easier for you to manage the secures because confusion is the enemy of security.