In my earlier blog POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL I wrote on how to export NSG (Network Security Group) in CSV excel file using powershell, which can be used later to create new NSG using same rules or editing CSV file. NSG is nothing but a Virtual Firewall containing Inbound and outbound rules (ACLs). It is as similar as Microsoft Windows Firewall rules under control panel. New NSG is automatically created while creating new Azure Virtual Machine.
Network Security Groups can be associated to either VM Nic card or vNet (Virtual Network) subnets. To simply demonstrate I have below VISIO diagram, I have 2 Azure Virtual Machines, both are in same vNet subnets hosting IIS web server, I have applied one NSG to Azure Virtual Network subnet with Inbound rule allowing only Port 80 for HTTP to everyone from outside.
Next blog article MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)
In another scenario, Most likely diagram is same but instead of attaching NSG to Virtual Network, I have created 2 separate NSGs and attached them to individual VM Nics with only required ports, Here I have 2 VMs with different OS flavors, and need to open only required ports on the different NSG for remote management for example On windows RDP 3389 and Linux SSH 22. Unlike above diagram I have applied NSG to VM directly, and can control Firewall ACLs per VM. It also gives me control which IP or Network can access the VM, Same rule can be created for Outbound rule as well.
It is also possible to attach single NSG (Network Security Group) to multiple VMs. But per VM Nic or vnet subnet can have only one NSG resource.
Whenever virtual machine is created one NSG is automatically created and attached to the respective VM. here Instead I will be creating NSG manually first and associate it with VM later. Open Resource Group, Click +Add button.
Search filter for Network Security group in the list and select it to create new one, There are many other third party Firewalls appliances also available in the list.
Provide Network Security Group some name, Once NSG is created and it will be reflected on Resource Group after refresh. Currently NSG is created but there are no rules in it. Click NSG to create new rules.
There are two types of security rules we can create Inbound and Outbound. I will be creating Inbound (Incoming) rule only in this lab and enabling 3389 windows RDP port.
Once rules are created and refreshed page, rules will be visible in the list.
Priority: Rules are processed in priority order; the lower the number, the higher the priority. For better design Microsoft recommends leaving gaps between rules - 100, 200, 300 etc. so it's easier to add new rules without having to edit existing rules. Also firewall rules priority must be between number range 100 and 4096.
Source: This the computer from where you will try to connect to Azure VM. * is equal to any, (Here you can mention single IP, or IP range) The source filter can be any, an IP address range, or a default tag. It specifies the incoming traffic from a specific source IP address range that will be allowed or denied by this rule.
Destination: This is the Azure VM. It specifies the outgoing traffic for a specific destination IP address range that will be allowed or denied by this rule.
Service: This is port number (TCP, UDP or both), This specifies the destination protocol and port range for this rule. You can choose a predefined service, like RDP or SSH, or provide a custom port range.
Action: Can be either Allow or Deny.
Same way Outbound NSG rule can be created. it will allow or deny (block) traffic leaving from VM. Here is the screenshot while creating new virtual machine, I can attach existing firewall network security group to to it. if VM has multiple network card, you can assign one NSG per NIC card.
You can create Virtual Machine VM without NSG policy defined or NSG can be attached to VM Nic later with below steps, under Resource group, select Network interface, and attach the NSG in Network security Group as shown.
Here is another example NSG can be applied associated to Virtual Network (vNet) Subnet.
In this Visio, this is how Security rules works. Lower number of the priority, it will have higher precedence. In Inbound security rules Source is the computer who will be initiating connection, and in Destination will be remote computer (Azure) in most cases, on the Outbound Security rule below scenario will become complete opposite, Source will be Azure VM who is want to communicate on Destination remote computer (That can also be a Azure VM).
In the last, just for information, there are 3 default rules under every NSG (Inbound and OutBound both), They cannot be modified or deleted. in the list Last rule is Deny all traffic with least priority. upon that VMs or resources in Virtual network and Azure load balancers are allow to connect with higher priority than DenyAllinbound.
Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL