This post is a summary and some links to documentation regarding Azure network security groups, it might useful if you are in need of a quick introduction to the subject.
Exposing a virtual machine to the internet
Before I get into network security groups I want to talk about the way Azure virtual machines are exposed to the internet using the Azure resource manager deployment method. By default when you create a new virtual machine using ARM in the new portal it will have a public IP address, the public IP address will be dynamic so it can change when the machine is restarted, you can make it static if need be for a monthly fee. The VM will not have a DNS name and you can’t specify one in the create VM wizard. You can add the DNS label after the machine is created or you can create the public IP separately with a DNS label and then point the new VM to use the existing public IP when you create it. The default network security group created with the VM will have a rule to allow RDP connections to this VM and some default rules used by Azure infrastructure. You can also use load balancers but that is a different story all together.
What Are Network Security Groups?
Short version (based on documentation link below): A network security group contains a list of rules that allow or deny traffic to a specified port or port range at a subnet or network interface card level. The rules also take into account the direction of the traffic, so it is not just for inbound traffic, you can also restrict outbound traffic. Applying the network security group at a subnet level will apply the rules to all the network cards in the subnet. Applying the network security group at network card level will only apply to that network card, if you have multiple network cards in a VM each one can have it’s own network security group. When you create your own rules take care not to block traffic to theĀ 168.63.129.16 IP address and also port 1688, these are used by Azure internally for DHCP, DNS, Windows Licensing etc. Take note when using load balancers, your load balancer is backed by a pool of NICs, you should apply the network security group to the backend NIC pool to ensure all traffic passes through to the network security group, even traffic that didn’t pass though the load balancer.
Official documentation, very long but very informative read.
Practical Application Of Network Security Groups
Creating a DMZ is one of the important capabilities we get from network security groups, that said there are various options when creating a DMZ and it gets quite complicated. Options include using network security groups only, using vendor firewall devices and creating custom routes for traffic. I’ll briefly talk about the simplest option using only network security groups. At a very simplified level creating a DMZ for you application involves separating the physical layers of your application based on the traffic they will receive/send and restricting the traffic to the absolute minimum between the layers and the internet. In this example below the IIS front end and SQL back end are on different subnets and each subnet has its own network security group. All traffic from the internet and between subnets are interrogated by the network security groups against their rules. All traffic should be blocked by default and then you add rules to allow specific ports. In this example the allowed traffic are the orange lines for RDP to both subnets, HTTP traffic to the website and SQL traffic between the front end subnet and the back end subnet. There are no rules for the outgoing traffic in this example. Setting up outgoing rules can be a bit tricky since most application can respond on a range of addresses.
The links to the official documentation and DMZ examples are below:
Build a DMZ to protect applications with a Firewall and NSGs
Build a DMZ to Protect Networks with a Firewall, UDR, and NSG
