Network Security Groups (NSG) play a crucial role in securing the virtual environment within Azure. Azure provides various services to help users secure their applications and the infrastructure that users create.
What is Azure?
Azure is the leading cloud computing platform provided by Microsoft that offers various range of services and solutions for users to build, deploy, and manage applications on the pay-as-you-use module. To know more about Microsoft Azure refer to this Article - Azure Tutorials.
What are Azure Networks?
Azure networks are virtual networks that allow users to connect their organizational resources and services. All the things related to Azure Networks are monitored and maintained by Azure. So user has to just create their virtual networks, subnets, IP addresses, network interfaces, and other network components.
Traditional Server Management
Consider a scenario where we have five servers: three dedicated to handling web application traffic, one managing business logic, and an additional server hosting our database. As per our organization's architectural decision, we segment these servers into subnets. For instance, one subnet is designated for microservices and web application traffic, while another subnet is dedicated to handling our data-tier applications. These subnets must reside within a virtual network.
Problem in Traditional Server Management
Without additional configuration, if we create an infrastructure in this manner, all incoming traffic from the internet would be allowed to reach all these servers, and inter-server communication would also be unrestricted. Consequently, every component could communicate with each other a situation we want to avoid. It's imperative that internet traffic doesn't reach our database, and not all services should have unrestricted communication with one another. This is where NSG comes into play.
Network Security Groups As A Solution
By placing a Network Security Group on the first subnet, we can permit traffic from the internet to reach our web-tier services. Simultaneously, by implementing an NSG on the second subnet, we can prevent internet traffic while still allowing communication from our internal services.
How Do Azure Network Security Groups Work?
NSG is a tool for activating rules that manage traffic to the Virtual networks. Within NSG, an inbound rule refers to incoming traffic requests, while an outbound rule relates to outgoing traffic requests. These rules align with our organizational policy, dictating the permissions for both incoming and outgoing access.
After the creation of NSG, there are default security rules that we can't change, but we can override those rules with custom rules. By default, NSG allows inbound and outbound traffic from the same virtual network.
Azure Network Security Rules
Azure Network security provides custom control over the inbound and outbound traffic to the Azure services. It facilitates with secure cloud network by defining the network security groups with customized rules specifying what protocol, IP address, ports based traffic are allowed to Azure services. The following are the some of the key points:
- Traffic Control: Network Security Groups provides the facility of defining the rules to allow or deny the traffic based on specific criteria letting control over the network communication.
- Port-Leve Security: The rules defined in the network security groups will restrict the traffic based on TCP/UDP ports preventing the unauthorized access to sensitive services or applications.
- IP Filtering: Network security groups support the application level filteringby enabling or blocking the traffic based on the application protocols, and enhancing the security for cloud based applications.
Default Security Rules
Azure provides the default security rules for both incoming and outcoming traffic in each network security group that we create:
Default Inbound Security Rules
| Priority | Name | Source | Source Port Ranges | Destination | Destination Port Ranges | Protocol | Action |
|---|
| 100 | AllowVnetInBound | VirtualNetwork | * | VirtualNetwork | * | * | Allow |
| 200 | AllowAzureLoadBalancerInBound | AzureLoadBalancer | * | Any | * | * | Allow |
| 65000 | DenyAllInBound | Any | * | Any | * | * | Deny |
Default Outbound Security Rules
| Priority | Name | Source | Source Port Ranges | Destination | Destination Port Ranges | Protocol | Action |
|---|
| 100 | AllowVnetOutBound | VirtualNetwork | * | VirtualNetwork | * | * | Allow |
| 65000 | DenyAllOutBound | Any | * | Any | * | * | Deny |
Augmented Security Group Rules
Augement ed security rules in Azure network security groups provides the simplified definition for larger and complex network security policies. These rules lets to combine the multiple ports and explicit IP addresses and ranges into a single rule enhancing the clarity and see of understanding. The service tags or application security groups with augmented rules maintenance of security rule definitions ensuring the efficient management of network security policies.
Serivce Tags in Azure Neworks facilitates with simplified management of grouping all the commonly used Azure services with predefined IP address ranges. These tags allows the administrators to easily define the network security rules for the Azure services by reducing the complexity and enhancing its security. It associates the security rules with service tags and helps with administrators in ensuring the consistent and secured network access for Azure services across their environment.
What Are Application Security Groups?
Application Security Groups in Azure facilitates with simplifying the network security with managing the groups of virtual machines based on the application tiers or roles. These groups provides the administrators to define the network security rules based on the application level of constructs rather than the individual IP addresses. By associating Azure network security groups with network security rules it facilitates with dynamic and scalable policies to adapt the changes in the Azure environment.
How Azure Network Security Groups Filter Network Traffic?
Azure Network Security Groups filter the network traffic by letting in or out for the communication based on defining the rules, offering a crucial layer of security for Azure resources. The following aspects discusses on Azure network security groups filters:
- Rule Based Routing: NSGs are configured with the inbound and outbound security rules that decides the allow or deny of the traffic for accessing the Azure services based on criteria such as source and destination, IP address, port ranges and protocols.
- Traffic Prioritization: NSGs priortizes the rules based on their order of precedence, with higher priority rues taking precedence over lower priority ones.
Inbound Traffic Control
- Inbound rules control the incoming traffic to the services allowing administrators to specify which incoming connections should be permitted or blocked.
- It refers to the data coming into the network or a specific resource within a network from the external sources. It often requires the security measures such as firewalls and network security groups to control the access and protect against the incoming threats/
Outbound Traffic
It represents the data that leaving from the network to outside or a specific resources within a network. we have to restrict the data flow that going to outside to avoid it is not get collected to authorized users and unsecured networks. It typically subjects to the filtering and monitoring of outbound traffic to ensure a security, compliance and efficient resource utilization.
Intra-Subnet Traffic
It facilitates with establishing the communication between the resources within the same subnet or virtual network. It often considered the trusted traffic but still requires the monitoring and ensuring potential security measures to prevent the authorized access or security breaches.
Best Practices For Implementing NSG in Azure
- Plan and design network topology and network security rules before the creation of a virtual network.
- Use descriptive tag names for NSG and security rules.
- Deny all traffic, then allow the necessary traffic for the network.
- Review and audit the network.
- Test the network before deploying
How to Create NSG in Azure Portal? A Step-By-Step Guide
Step 1: Firstly Sign in to your Microsoft Azure Portal.Search for "Network Security Group" and click on respective.
step 2: Now, click on "Create," fill in the details in the Azure Portal, and click on "Review + Create." Finally, click on "Create."
Step 3: After successfully creation of NSG click on "Go to resource".
Step 4: To associate this NSG with a subnet or interface, click on the "Subnets" service interface from the left menu present under Settings section.
- Now, click on the "Associate" button and select a virtual network where you want to associate this NSG and click on OK.
Let's See How The NSG Works In A Accessing Virtual Machine(VM)
Step 5: Sign in to your Microsoft Azure Portal.Search for "Virtual Machine" and click on respective.
- Click on "Create" and select "Azure Virtual Machine".
Step 6: Enter and choose the configuration for your VM. Pick the 'Subscription' and 'Resource group' for your VM. Provide a unique name for your VM and select the 'Region' where you want to host it.
- Choose the number of 'availability zones' for your VM. The crucial step is the Image selection; in this case, we are using a 'Windows' image, but you can select any you prefer.
- Now, pick a 'Size' based on your requirements. Enter a username and password for your VM. These credentials will allow you to access your VM from anywhere. For the inbound port rule, select 'RDP'. Finally, click on "Review+create."
Step 7: After configuring the Virtual Machine resources, Review once the configuration of resources and Click on Create as confirmation to create the Virtual Machine.
- Take a moment to check your VM configuration, then click on "Create."
Step 8: After creating the VM successfully, click on "Go to resource."
- Click on "Connect" and then select "Download RDP file."
Once connect the respective VM try on downloading the RDP File by clicking on "Download RDP file"
Step 9: Click on the file you downloaded and provide the necessary permissions. Enter your VM password and click OK.
- Congratulations! Now, in just a few seconds, you can access your VM.
.png)
Step 10: Go to the "Network Settings" of your VM and delete the Inbound rule that we made. After that, try connecting to your VM again.
- You will encounter an error message stating that you don't have access. This happens because the NSG is restricting access.
- To regain access, we need to set up an inbound rule again. Navigate to "network settings," click on "Create port rule," then choose "inbound port rule."
- Set the "Destination port ranges" to 3389, select the TCP protocol, and click on "add."
Congratulations! Now, in just a few seconds, you can access your VM.
Video Demonstration of Azure Network Security Groups with Virtual Machine
This video shows how we use Azure Network Security Groups with Azure Virtual Machine. It demonstrates the process of connecting to the VM. When we delete our inbound rule, we are unable to connect to our VM. However, after creating an inbound rule specified during VM creation, we regain access to our VM.
Association of Network Security Groups
- Granular control: It facilitates wit assigning the network security groups to subnets or individual interfaces and provides the granular control over the traffic flow within the Azure environment.
- Security Segmentation: It provides the segmentation of the resources based on their security requirements. It allows administrators to define the specific security policies for different parts of networks.
- Effective Security Enforcement: On association with NSGs with resources facilitates the administrators to provide the security policies such as allowing or denying the traffic based on source or Destination IP addresses, port ranges and protocols.
Virtual Network And Subnet Design
- Isolation And Segmentation: Virtual Network Desing involves in creating and isolated network environments for segment the resources logically. It ensure the better security, performance and management.
- Scalability and Performance: On implementing proper subnet deign with virtual networks provides and efficient resource allocation and scalability to optimize the performance and minimize the latency.
- Connectivity and Accessibility: It designs the virtual networks and subnets involves planning for establishing VPC connections, Azure ExpressRoute or peering relationships. It ensure seamless communication between resources while maintaining the security and compliance.
The following are the considerations for deploying applications on the Azure platform:
- Scalability: Azure provides the scalable services like Azure App service and Azure Kubernetes Service (AKS) for facilitating the application to handle based on varying workloads.
- Integration: Azure provides the seamless integration with other Azure services and third party tools with supporting easy development, deployment and management of applications.
- Monitoring and Analytics: On usage of Azure Monitor and Azure log Analytics, it facilitates with gaining the insights into the application performance, troubleshoot issues and optimize the resource utilization.
Conclusion
In this article, we have observed the practical use of NSG by making changes in Virtual Machine configuration. Additionally, we discussed Traditional Server Management at the beginning and how to overcome it with NSG. We also covered best practices for implementing NSG and the steps to create NSG in the Azure portal