Azure Beginner – Network Security Groups



hi welcome back to this as your beginner's guide now in this chapter we are going to look at network security groups so network security groups is nothing but a list of rules this is used to allow or deny traffic to your virtual machines now security is an important aspect especially when you expose your appliances to the outside world such as the internet so because of the tremendous amount of attacks which can happen from the internet all to your infrastructure you need to have the right security tools in place to protect all the resources in your cloud computing infrastructure network security groups is one such tool which can be used for your virtual machines to allow or deny traffic to and from your virtual machines so I said this is a security mechanism that's available for your VMs just to give an example so this is one of the use cases in which you can use network security groups now I did discuss that in a virtual network in a 0 by default communication is possible between subnets in that virtual network so if you have the two VMs has shown you by default the communication should be established between this VMs but there could be special use case scenarios wherein you want to isolate VMs completely this could be based on different requirements or security aspects so that VM could be stored in critical data or sensitive information hence it should be cut off from all other VMs in such a case yes you could put it in a separate virtual network altogether but if you are putting it in the same virtual network has other subnets and other virtual machines you can define something known has a network security group to block the traffic another use case scenario so let's say you have a virtual machine defined in Azure in a subnet in a virtual network now let's say that you only want to allow a certain traffic from a particular workstation so let's say you are IT admin your on this workstation which has an IP of in ninety two dot one dot 5.6 you need to RDP or more desktop protocol into your Windows VM so what you can do is that you can say create a network security group which only allows remote desktop from this IP address how is this secure this ensures that no one else has the ability to connect to your Windows machine in a zero while remote desktop apart from this workstation which has the IP of ninety two dot one dot 5.6 so these are some of the use cases in which you can use network security groups now if we are going to look at an example of network security groups but just to explain a little bit more about the groups you have two separate rules you have rules for inbound traffic so traffic which is coming into the virtual machine you then have our bond rules this is for traffic that's flowing out of the virtual machine for each of the rules you define what is the source IP and the source port number so in the prior example let's go back here our source IP is ninety two dot one dot 5.6 the port number which is the source can be any port number on the workstation so remember when you are establishing a connection with a virtual machine on the remote desktop protocol the protocol uses three the port number use is three three eight nine but that'll be on the VM on the client workstation which is ninety two dot one dot five or six any port number it's known as an FM band port number will be used for the connection next we specify what is the destination IP and the destination port number so our destination port number has we discussed in the diagram is three three eight nine and destination IP will be the IP of the virtual machine next you specify what is a protocol that is allowed what is a priority now you can have different rules defined in your security group and each of them can have a priority and the one with the most priority will overwrite all the rules which have a least number of priority and then you specify whether it's an allow or deny rule so now let's go ahead to the azure portal and see how to work with network security groups hi and welcome back now here we are your portal now for an example we are going to see how we can use network security groups to access the Internet Information Services on a Windows VM now I have already gone ahead and created one simple Windows VM I connected to the VM now the first thing I am going to do is that I am actually going to add roles and features so I'm going to install OS on this machine so that we have a working web server in which we can test network security groups so my VM let me go down and choose Repsol so I'm gonna add the web server feature and we'll go on next next and then finally do an installation so this is a very simple installation of is all the windows vm while this is happening I want to show you where you can see the network security groups so let's go back to our zero portal this is a virtual machine you can also see that while we are actually not doing the installation you can see the metric data so you can see the amount of reads and writes are now happening on the virtual machine and this is because we are actually doing some operation now on this VM let's go to networking and this is where we have aa network security groups so we have our network interface so this is the NIC card is like a virtual NIC card attached to your virtual machine we have the public IP address and the private IP address we have rules for inbound traffic and for outbound traffic now by default there are four rules already in place for you the first rule is to allow RDP so since this is a Windows instance you can RDP on four three three eight nine this is for the destination it's based on the TCP protocol the source is any means you can log in from any source IP address obviously if you want to have a better security constraint you can restrict the IP addresses from which the connection can occur the destination is any services the RDP to our particular instance and the action is allow next is to allow any inbound traffic so I did mention that within a virtual network itself communication between instances no matter which subnet they are located is possible one of the factors which accounts for this is a security rule which is in place so this default security rule ensures that all traffic which is inbound in that virtual network is allowed next we have a rule for the load balancer we have a separate chapter on the azure load balancer and you will understand that more better when we actually deep dive into how to work with as your load balancer and then finally we have the deny all inbound so if there is any other traffic type of traffic which is going to come to our virtual machine simply deny it so it is only going to allow these three types of traffic and you cannot see the priority so based on the priority the rules will be evaluated so this is a summary of how the inbound rules work let's go back to our VM so the installation is complete I'm going to close it let me just launch localhost to make sure that is is running right so is is running locally on this machine now ideally if I just take the public IP and I open it in another tab now since I have installed is on the windows VM I should be getting the eius interface over here but you can see that it is not working and you are going to get a connection timeout after a certain period of time and that's because of the network security group there is no rule saying that please allow traffic on port 80 remember that is works on port 80 for incoming HTTP requests so since the no port rule for this the traffic is being denied so we can go ahead and add an inbound port rule to allow traffic into our web server for the moment we are going to say the so much as any so any workstation so even my workstation if I access the web server on the VM I should be able to access is I'm going to put any source port range that is on my machine destination or also leave it at the moment has a need to keep it simple for the port range I'm going to make it has port 80 I just want to allow traffic on port 80 to access that HTTP request I just want to allow access on port 80 to ensure that I can access the web server I'm gonna put the action has allowed I'm going to keep the default priority I'll give a name for the rule click on add and now this security rule is being added if you just go back to our page you can see the site can't be reached so this is the default response you're going to get because there is no security rule now that the rule has been created now you can see you are getting the home page for is so the security rule which was applied immediately is now allowing traffic on port 80 so this is how effective Network security groups are remember when you go deep dive into architecture and managing infrastructure on a cloud platform I said security is really a very very important aspect and you have to look at all the security tools which are in place to help you protect your infrastructure on the cloud so I said for virtual machines this is one way of protecting the traffic which comes in bound and outbound from your ocean machine right so this marks the end of this chapter on how to work with network security groups let's move on to the next chapter in this course

1 thought on “Azure Beginner – Network Security Groups

  1. I´m doubt, what about if the machine 92.1.5.6 has a dynamic IP address how will it be possible to save this IP on my NSG?

Leave a Reply

Your email address will not be published. Required fields are marked *