Network Security Group
In this lab you will get an overview of network security groups (NSG) and learn how to do the following:
Log in to the Azure CLI
Create an NSG
Create a rules within an NSG
Step 1 - Logging In
Microsoft Azure is a cloud computing service offered and operated by Microsoft that can be used to host your data and applications in the cloud.
Once the credentials have been created, they will be assigned to environment variables, making it simple to log in to the Azure CLI. Use the credentials to log in to the Azure CLI. From the CLI, you can create and manage your Azure resources. Run this command to log in to the Azure account:
az login -u $username -p $password
After you log in, you should get a block of JSON with details about your sign-in.
You can view the Azure account username with this command:
echo $username
You can view the Azure account password with this command:
echo $password
Step 2 - Getting Set Up
In any connected application (which is pretty much all applications nowadays), we do not want resources to be accessed by just anyone or anything. We need to compartmentalize resources and block certain types of traffic from entering a resource. For example, if we have some web services that are accessible through the internet, we should not allow the backend databases on a separate virtual network to be accessed by the internet as well. We want to prevent these kind of breaches.
In this lab we will create a network security group on a virtual network and configure policies so it blocks certain types of traffic.
First we need a resource group that will be the target of our NSG. The resource group with a name saved to the variable $resource, which was created with this command:
az group create --name $resource --location eastus
Let's also create a virtual machine in the resource group:
az vm create --name 'MyVM' \
--image UbuntuLTS \
--location eastus \
--resource-group $resource \
--admin-username azureuser \
--public-ip-sku Basic
Step 3 - Creating an NSG and Rule
Next let's create a network security group on the second resource group $resourceB:
az network nsg create \
--resource-group $resource \
--name myNsg
If we wanted to deny all TCP traffic with the highest priority (meaning no other rules will trump it), we could create a rule like this. The highest priority is 100, and 4,096 is the lowest. No two rules can have the same priority. This allows us to create broad policies and specific exceptions that have higher priority. In other words, rules are sortable on criticality to help the system choose one rule over another (e.g., "give nobody access from that department except Joe").
Note also that these rules can Deny or Allow access:
az network nsg rule create \
--resource-group $resource \
--nsg-name MyNsg \
--name MyRule \
--priority 100 \
--access Deny \
--protocol Tcp
To remove the rule, use the delete command:
az network nsg rule delete \
--resource-group $resource \
--nsg-name MyNsg \
--name MyRule
Step 4 - Creating Specific Rules
There are many options to configure and filter traffic in the NSG call. Here are all the arguments that can be provided to the rule create command:
az network nsg rule create --name
--nsg-name
--priority
--resource-group
[--access {Allow, Deny}]
[--description]
[--destination-address-prefixes]
[--destination-asgs]
[--destination-port-ranges]
[--direction {Inbound, Outbound}]
[--protocol {*, Ah, Esp, Icmp, Tcp, Udp}]
[--source-address-prefixes]
[--source-asgs]
[--source-port-ranges]
[--subscription]
Here we deny TCP traffic of a specific range of IP addresses with the highest priority of 100:
az network nsg rule create \
--resource-group $resource \
--nsg-name MyNsg \
--name MyRule \
--priority 100 \
--source-address-prefixes 204.120.28.0/26 \
--source-port-ranges 80 \
--destination-address-prefixes '*' \
--destination-port-ranges 60 6060 \
--access Deny \
--protocol Tcp
This covered the fundamentals of creating a network security group on a resource group.