Module 4bc - Security and Network Security - Network Security Groups Flashcards

1
Q

What are Network Security Groups (NSGs)?

A

A mechanism for filtering traffic between the individual Resources within an AVN. Think of them as internal firewalls, inside the Network Layer.

  • Can contain multiple inbound and outbound security rules for filtering traffic to and from Resources
  • Can filter by destination IP, port and protocol
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What fields are available in an NSG Rule?

A
  • Name
  • Priority
  • Source or Destination
  • Protocol: TCP/UDP/Any
  • Direction: ingress/egress
  • Port Range: either a single port or range of ports
  • Action: ALLOW/DENY
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Every VM on Azure is associated with at least one network security group (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the default NSG rule ‘default-allow-ssh’ do?

A

Allows inbound connections over port 22 (SSH port). SSH (secure shell) is the protocol used by Linux to allow admins to access the system remotely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What’s the default NSG rule for Linux VMs?

You must also allow inbound on port 80 (HTTP) (T/F)?

A

default_allow_ssh

Allow network access only on port 22 (SSH Secure Shell). It enables admins to access the system.

True~

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When creating multiple VMs that serve the same purpose, it’s best to create a new NSG for each VM. This way you can customize inbound/outbound traffic per VM (T/F)?

A

False

it’s best to assign them all to a single, standalone NSG, then create a single inbound and a single outbound rule for the NSG.

That way you can control network access to multiple VMs under a single, centralized set of rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is INBOUND traffic evaluated when a SubNet and a Network Interface both have an NSG applied to it?

A

Both NSGs are evaluated independently. The SUBNET NSG evaluates traffic first, the one applied to the NETWORK INTERFACE evaluates second.

In other words, if it isn’t even allowed at the Network Layer destination, don’t even let it past the Perimeter Layer (Defense in Depth)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How is OUTBOUND traffic evaluated when a SubNet and a Network Interface both have an NSG applied to it?

A

Outbound traffic is first evaluated by the NSG applied to the NETWORK INTERFACE, then by the NSG applied to the SUBNET

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What determines the order in which an NSG Rule is processed and how?

A

Rules are processed in priority order with LOWER numbers processed FIRST. Priority range is between 100-4096. So a rule set to priority 100 will get processed before a rule set to priority 1000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For an NSG Rule Source or Destination, what values can be set?

A

Can be any of the following:

  • single IP address or an IP Range
  • CIDR block (ex. 10.0.0.0/24)
  • service tag
  • app security group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When are NSGs processed for *Outbound* traffic and what IP address translation occurs?

A

For Outbound Traffic, NSGs are processed BEFORE Azure translates a private IP address to a public IP Address

Azure checks first to see if egress is even allowed to leave the outer layer (the network interface). If it is, then it checks the inner layer (SubNet). If so, then great; translate the private IP to the public one and let it through~

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When are NSGs processed for Inbound traffic and what IP address translation occurs?

A

For Inbound Traffic, NSGs are processed AFTER Azure translates a public IP address to a private IP Address….

Naturally…how would Azure know what NSGs to apply if it didn’t know what the destination SubNet was?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly