Connectivity is the boon and bane of today's networking world. You obviously need connectivity to access and use remote resources, but at the same time, it is this connectivity that opens the possibility for hacking and other unscrupulous behavior.
So, can you forego the benefits of networking to protect your company's assets from unauthorized users? A definite "no," simply because network connectivity is the cornerstone of a digital world. Also, foregoing the benefits of a service to curb its downside is not really a good idea.
A better way would be to protect your network in such a way that unauthorized users can’t enter it. You can lay down stringent rules and regulations with regard to network access, so it is not misused by anyone for devious purposes.
Azure makes it easy to create and enforce such rules through its Network Security Group (NSG).
What is Azure NSG?
NSG is the main tool you need to enforce network traffic rules at the networking level. It is particularly used to control traffic to one or more virtual machines, subnets, network adapters, and role instances in your virtual network.
It contains rules for access, based on which request to a network is accepted or denied. Most rules are related to direction of the traffic, protocol, port and address of the source, and port and address of the destination. In other words, it's your one-stop shop for access control lists.
In some ways, you can think of an Azure NSG as a simple form of distributed firewall that you create and apply within the Azure network fabric. You can create a rule for a virtual machine or a subnet, depending on the needs of your business, and Azure will apply them to all the associated resources.
You can create inbound and outbound traffic rules for both NIC and subnets, and Azure will apply them accordingly.
This might get you wondering about the differences between NSGs associated with a subnet and a NIC. In the case of a subnet, traffic that doesn’t meet the rules is stopped even before it enters the subnet. However, in the case of a NIC, traffic packets are stopped, even if they're allowed by subnets. That's a subtle and yet important difference you should know.
If that's confusing, all that it means is you can create a single NSG rule for all machines on a subnet. In fact, this is the option Microsoft recommends its customers to have for each tier of security, as it makes designing and troubleshooting much easier. You also have the choice to create NSGs for a single NIC, if that's what your business and networking warrants, even if it's not recommended by Microsoft.
Now that you have a fair idea of Azure NSGs, let's take a deep look into its rules.
Azure NSG rules
You can create pretty much any kind of rule you want, but they all should follow the same pattern, i.e., they should have the properties discussed below.
This is the name of the rule and it should be unique within the same region. It should start with a letter or number and must end with a letter, number, or underscore. This name can have a maximum of 80 characters.
In general, it's a good idea to have a specific naming convention that'll make it easy to identify the specific function a rule does.
You can use TCP, UDP, or "*.". Usually, "*." can be really broad, so use it only when needed.
Now, "*." accepts ICMP for internal traffic only because by default any traffic that's entering the Azure virtual network should pass through a load balancer that filters ICMP traffic. This is why you can use ICMP protocol for internal traffic only.
This is the Azure region where the NSG was created. This is an important parameter because you can associate the NSGs you create with the resources present in the same region only. You can't use the resources of some other region for your NSG.
Also, the number of NSGs you have per region depends on the resources you use. For example, you can have a default of only 20 DNS servers for every virtual network, with the maximum being 100. Azure documentation gives you extensive information on your limits for every region and resource.
To top it, there's a soft limit of 100 NSGs for every subscription and a limit of 200 rules per NSG.
Source and destination address prefix
This is the single IP address, network address, or a predefined tag that the system will check, to see if it matches with any of your rules. In the case of source, it's the resource transmitting the traffic while in the case of destination, it's the resource that is receiving the traffic.
There are three predefined tags you can use to specify common sources of traffic. They are the Internet, virtual network, and the Azure load balancer. Internet includes all the traffic that's coming from sources that are outside your own network. Virtual network is any address located within the subnets of your virtual network while Azure load balancer is the traffic used to test the availability of load balancer virtual machines.
You'll have to specify if this is an inbound or outbound traffic rule. There are three default inbound traffic rules in an Azure NSG, and they are:
- The probes used to test the availability of Azure load balancers have unrestricted access within your network.
- All external traffic, typically those coming from the Internet, are blocked by default.
- All kinds of traffic within the same virtual network are allowed, including ICMP traffic.
If you don't want these defaults, you can override them with custom rules.
You can set a number between 100 and 4,096, if you want to generate a granular set of rules. The system checks rules in the order of priority, and it will not check the rest of the rules once a match is found. For example, if traffic matches a rule with priority 104, then it won't check the other rules at all. So, make sure you give the right priority, especially if one rule overlaps or depends on another.
You can specify a range for your source and destination ports. Choose a single port number between 1 to 65535 or use * for all ports.
In general, use *, unless you know the specific port number your client program is using. The next best option is to use a range just to make sure you're not blocking important traffic and also to avoid multiple rules for the same task.
Remember, you can't group multiple ports or a range using commas.
Now that you're familiar with the rules, let's see how you can create one.
How to create a NSG
Here is a step-by-step instruction on how to create an Azure NSG.
- Go to the Azure Resource Manager (ARM) portal and navigate to Network Security Groups.
- Click on the Add button to create a new group.
- Give a name that's descriptive and easy to identify for you. Remember, this name has to be unique as well. Also, choose the subscription that it will belong to.
- Select a resource group that the NSG will belong to. You can also create a new one if there are no associated resource groups, but they have to be within the same region.
- These details will create the NSG for you.
- Next, choose this NSG and navigate to its properties.
- Choose if you want to add inbound or outbound security rules.
- Click the "Add" button to enter your custom security rules.
- Give each rule a name, protocol, port, and any other information that you think is pertinent. Most importantly, give it the right priority.
- If you plan to create multiple rules, it's a good idea to leave some space, so you can enter related rules later. For example, add rules in increments of 10, such as 10, 20, 30, and so on. This way, you can introduce rules at 11, 12, or 13 if you have to in the future.
Azure NSGs are a great way to protect your network without compromising on your access to resources. It gives you the option to set your own rules, provided they follow some established standards.
The best part is these rules are easy to create and you have complete control over them to modify or even delete when needed.
Are you up to trying this?