Microsoft Azure Concepts – Network Security Groups

Virtual-NetworkNetwork Security Groups (NSG) are essentially traffic filters.  They can be applied to ingress path, before the traffic enters a VM or subnet or the egress path, when the traffic leaves a VM or subnet.

  • Source and destination port ranges
  • UDP or TCP protocol can be defined
  • Maximum of 1 NSG per VM or Subnet
  • Maximum of 100 NSG per Azure Subsription
  • Maximum of 200 rules per NSG
  • When a Network Security Group is applied all traffic apart from other virtual machines or services in the same VNET are denied by default

Note: You can only have an ACL or NSG applied to a VM, not both.

By default Azure has three networks which are automatically created when you make your first Network Security Group, these are:

  • INTERNET – Anything external
  • VIRTUAL_NETWORK – Allows anything on your VNET to talk to each other
  • AZURE_LOADBALANCER – Allows the Azure Load Balancer to talk to anything

Network Security Group rules are applied in priority order, so rule 100 is applied before rule 101 and 102

So let’s walk through a few examples.

Create a Network Security Group

#New Network Security Group

New-AzureNetworkSecurityGroup -Name "VMF-NSG01" -Location "West Europe" -Label "In - VMF-VNET02 Trafic"

The above commands creates a new Network Security Group called VMF-NSG01 in West Europe with a description of VMF-VNET02 Traffic

Before we move onto creating some rules, we need to think about the Cloud Service and the Endpoints which are being exposed to our Virtual Machines on subnet VMF-VNET02.

I could remove all Endpoints from all virtual machines within my Cloud Service, this means we don’t have any access from the internet.  This is great, but what if we need to expose HTTPS to the internet?

I could just add the Endpoint to the VM’s.  But this then means that if another Administrator comes along, they can expose more VM’s to the internet.  What can I do to get around this?   Well the rule below is the answer.

Allow HTTPS Inbound from Internet To a VM

#Allow Inbound HTTPS from Internet to VMF-TEST02

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - HTTPS VMF-TEST02" `
    -Action Allow -Type Inbound -Priority 301 `
    -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' `
    -DestinationAddressPrefix '' -DestinationPortRange '443' -Protocol TCP

This rule allows anyone from the Internet to access the virtual machines named VMF-TEST02 on HTTPS.  However if any more Endpoints are added to the Cloud Service, they won’t work as we don’t have a rule for them.

So that’s inbound internet access locked down, what about access into the VMF-TEST02 subnet from the rest of the VNET and our on-premises network?

Allow Citrix HDX from Any

#Allow Inbound Citrix HDX from Any

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - Citrix HDX" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 310 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '1494'

The above rule allows any Citrix HDX traffic on Port 1494 to enter our subnet VMF-VNET02. Now you might be scratching your head thinking why don’t I change the -SourcePortRange to be 1494 as well?

Well what happens if the incoming client performs a Port Address Translation from 1498 to us before hitting us?  This rule means we will only respond if someone is trying to get too 1494.

Allow Citrix Session Reliability from Any

#Allow Inbound Citrix Session Reliability from Any

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - Citrix Session Reliability" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 320 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '2598'

The above rule allows any Citrix Session Reliability traffic on Port 2598 to enter our subnet VMF-VNET02.

Excellent, but I may want to authenticate to some Active Directory Domain Controllers and change passwords in the future.

Allow Kerberos, LDAP and LDAPS

#Allow Inbound Kerberos from Any

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - Kerberos" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 330 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '464'

#Allow Inbound LDAP from Any

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - LDAP" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 340 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '389'

#Allow Inbound LDAPS from Any

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - LDAPS" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 350 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '636'

Awesome, so now I can get access to my environment externally using HTTPS and internally I can get to a Citrix and Domain Controllers, but what about my Management on-premises subnet.  I want that to able to access anything on subnet VMF-VNET02.

Allow Inbound Any from Management Subnet

#Allow Inbound Any from Management Subnet

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - Management Subnet" `
 -Action Allow -Protocol '*' -Type Inbound -Priority 360 `
 -SourceAddressPrefix '' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '*'

That’s great, but how do I apply the Network Security Group to a subnet?

Apply Network Security Group to a Subnet

#Apply Network Security Group to Subnet

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName "VMF-VNET" -SubnetName "VMF-VNET02"

But hold on, I need to delete a rule as I made a mistake, how do I do that?

Delete Network Security Group Rule

#Delete a Network Security Group Rule

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" | Remove-AzureNetworkSecurityRule -Name "In - LDAP"

OK I get that, but how do I see the rules applied to my Network Security Group?

View Rules Applied to Network Security Group

#Get Details of a Network Security Group

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" -Detailed

What if I want to update a particular rule in a Network Security Group? Well you just make sure you use the correct priority line.

Update Network Security Group Rule

#Update Network Security Group Rule

Get-AzureNetworkSecurityGroup -Name "VMF-NSG01" `
| Set-AzureNetworkSecurityRule -Name "In - SQL" `
 -Action Allow '*' -Type Inbound -Priority 380 `
 -SourceAddressPrefix '*' -SourcePortRange '*' `
 -DestinationAddressPrefix '*' -DestinationPortRange '1494' -Protocol TCP

Last of all how do I delete a Network Security Group?

Delete Network Security Group

#Delete a NSG

Remove-AzureNetworkSecurityGroup -Name "VMF-NSG01"

These rules can be represented logically in the diagram below.

Azure NSG Diagram

Final Thought

Because we have only applied an ‘Inbound Network Security Group’ rule, this means that when users are within their Citrix session they have the ability to launch anything.  If you want to lock  down then an ‘Outbound Network Security Group’ rule would need to be created and applied.

One thought on “Microsoft Azure Concepts – Network Security Groups

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s