Module 4 - Configure Network Security Groups Flashcards
What is a network security group?
A NSG contains a list of security rules that allow or deny inbound and outbound network traffic.
You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound and outbound network traffic , from several types of Azure resources. For each rule, you can specify source , destination, port, and protocol.
An NSG can be associated to a subnet or NIC
Can be associated multiple times.
NSG and subnets:
You can create a screened subnet known as a DMZ which acts as a buffer between resources and the internet.
Use NSG to restrict traffic flow to all machines that reside in the subnet.
Each subnet can have a maximum of one associated NSG.
NSG and NICS:
Define rules to control all traffic that flows through the nic
Each NIC that exists in a subnet can have one NSG associated to it.
In azure what are the Default NSG rules?
3 Default Inbound rules:
AllowVNetInbound - Priority is 65000
AllowAzureLoadBalancerInbound - Priority is 6501
DenyAllInbound - Priority is 65500
3 Default Outbound Rules:
AllowVNetOutBound - Priority is 6500
DenyAlloutBound - Priority is 65500
AllowInternetOutBound - Priority is 65001
You cannot remove the default network security rules but you can override them by creating a another rule with a higher priority.
NSG effective rules
For inbound traffic:
Azure first processes NSG rules for any associated subnets and then any associated NICS.
Inbound NSG rules for a subnet take precedence over NSG rules for NICS.
For Outbound rules:
Azure first evaluates NSG rules for any NICS and then associated subnets.
Outbound NSG Rules for a NIC take precedence over NSG rules for a subnet.
Importance of allow rules:
If you have a subnet and NIC in your network security group , you must define an allow rule for each level otherwise the traffic will get denied for any level that does not have the allow rule in place.
Intra subnet traffic:
By default , Azure allows VM’s in the same subnet to send traffic to each other( This is known as Intra subnet traffic). If you do not want VM’S in the same subnet to communicate with each other you have to set a rule that prevents all inbound and outbound traffic. This will prevent all the VM’s in the same subnet from communicating with each other.
Security rules in NSG are processed in priority order. The lowest being always processed first.
As a best practice when creating NSG rules it is always good to leave a gap of about 100 which will allow for future rules to be added without having to edit them later.
Create network security group rules
Properties that need to be specified when creating the rules:
Source
Identifies how the security rule controls inbound traffic. The value specifies a specific IP address range that allowed or denied.
It can be a resource , IP address range , app security group or default tag.
Destination:
Identifies how the security rule control outbound traffic. The value specifies a specific IP address range that is allowed or denied.
Can be any resource , ip address range , app security group or default tag.
Service
Specifies the destination protocol and port range for the security rule. You can choose predefined service such as RDP or SSH or a custom port range.
Priority
Assigns the priority order number of the rule. The lowest number being the processed first.
Implement Application Security groups
Application security groups allow you to group VM’s and define network security group rules based on the application workload they belong to rather than individual ip address.
Application security groups support dynamic membership , meaning VM’s can be dynamically added or removed from an ASG based on there tags.
Consider no subnets:
By organizing your VM’s into application security groups , you don’t need to distribute your severs across specific subnets. You can arrange your severs by application and purpose to achieve logical grouping.
Consider simplified rules:
Helps eliminate the need for multiple rule sets. You can dynamically apply new rules to designated application security groups. New security rules are automatically applied to all VM’s in the specified application security group.