At TechEd Europe 2014, Microsoft announced the General Availability of Network Security Groups (NSGs) which add security feature to Azure’s Virtual Networking capability. Network Security Groups provides Access Control on Azure Virtual Network and the feature that is very compelling from security point of view. NSG is one of the feature Enterprise customers have been waiting for.

What are Network Security Groups and how to use them?

Network Security Groups allow us to control traffic (ingress and egress) on our Azure VNET using rules we define and provide segmentation within VNET by applying Network Security Groups to our subnet as well as Access Control to VMs.

What’s the difference between Network Security Groups and Azure endpoint-based ACLs? Azure endpoint-based ACLs work only on VM public port endpoint. NSGs are able to work on one or more VMs and controls all ingress and egress traffic on the VM. In addition NSG can be associated with a subnet and to all VMs in that subnet.

NSG Features and Constraints

NSG features and constraints are as follow:

  • 100 NSGs per Azure subscription
  • One VM / Subnet can only be associated with One NSG
  • One NSG can contain up to 200 Rules
  • A Rule has characteristics as follow:
    • Name
    • Type: Inbound/Outbound
    • Priority: Integer between 100 and 4096
    • Source IP Address: CIDR of Source IP Range
    • Source Port Range: Range between 0 and 65000
    • Destination IP Range: CIDR of Destination IP Range
    • Destination Port Range: Integer or Range between 0 and 65000
    • Protocol: TCP, UDP or use * for Both
    • Access: Allow/Deny
    • Rules processed in the order of priority. Rule with lower priority is processed before rules with higher priority numbers.

Security Zone Model

Designing isolated Security Zones within an Enterprise network is an effective strategy for reducing many types of risk, and this applies in Azure also. We need to work together with Microsoft as our Cloud Vendor to secure our Azure environment. Our On-Premises knowledge to create Security Zones model can be applied to our Azure environment.

As a demonstration I will pick the simplest Security Zone model which I will apply on my test Azure enviroment just to get some ideas how NSG will work. I will create 3 layers of Security Zone model for my test Azure environment. This simple security zone is only for the demo purpose and might not be suitable for your Enterprise environment.

  • Internet = Attack Vectors / Un-trusted
  • Front-End = DMZ
  • App / Mid-Tier = Trusted Zone
  • DB / Back-end = Restricted Zone

Based on Security Zone model above, I created my test Azure VNET :

Azure VNET: SEVNET
Address Space: 10.0.0.0/20
Subnets:
Azure-DMZ – 10.0.2.0/25
Azure-App – 10.0.0.0/25
Azure-DB – 10.0.1.0/25

Multi Site Connectivity to: EUVNET (172.16.0.0/16) and USVNET (192.168.0.0/20).

The diagram below illustrates above scenario:

Security Zone 1

Lock ‘Em Down

After we decided our simple Security Zone model it’s time to lock them down and secure the zones.

The diagram below illustrates how the traffic flow will be configured:

Security Zone 2

In High Level the Traffic flow as follow:

  • Allow Internet ingress and egress on DMZ
  • Allow DMZ – App ingress and egress
  • Allow App – DB ingress and egress
  • Deny DMZ-DB ingress and egress
  • Deny App-Internet ingress and egress
  • Deny DB-Internet ingress and egress
  • Deny EUVNET-DB on SEVNET ingress and egress
  • Deny USVNET-DB on SEVNET ingress and egress

Section below will show the examples of Azure NSG rules table will look like.

NSG Rules Table

Azure DMZ NSG Rules Table

Name Source IP Source Port Destination IP Destination Port Port Type Action Priority
RDPInternet-DMZ * 63389 10.0.2.0/25 63389 TCP Inbound Allow 347
Internet-DMZSSL * 443 10.0.2.0/25 443 TCP Inbound Allow 348
Internet-DMZDRS * 49443 10.0.2.0/25 49443 TCP Inbound Allow 349
USVNET-DMZ 192.168.0.0/20 * 10.0.2.0/25 * * Inbound Allow 400
EUVNET-DMZ 172.16.0.0/16 * 10.0.2.0/25 * * Inbound Allow 401
DMZ-App 10.0.2.0/25 * 10.0.0.0/25 * * Outbound Allow 500
DMZ-DB 10.0.2.0/25 * 10.0.1.0/25 * * Outbound Deny 600
Allow VNET Inbound Virtual_Network * Virtual_Network * * Inbound Allow 65000
Allow Azure Internal Load Balancer Inbound Azure_LoadBalancer * * * * Inbound Allow 65001
Deny All Inbound * * * * * Inbound Deny 65500
Allow VNET Outbound Virtual_Network * Virtual_Network * * Outbound Allow 65000
Allow Internet Outbound * * INTERNET * * Outbound Allow 65001
Deny All Outbound * * * * * Outbound Deny 65500

Azure App NSG Rules Table

Name Source IP Source Port Destination IP Destination Port Prot Type Action Priority
DMZ-App 10.0.2.0/25 * 10.0.0.0/25 * * Inbound Allow 348
USVNET-App 192.168.0.0/20 * 10.0.0.0/25 * * Inbound Allow 400
EUVNET-App 172.16.0.0/16 * 10.0.0.0/25 * * Inbound Allow 401
App-DMZ 10.0.0.0/25 * 10.0.2.0/25 * * Outbound Allow 500
App-DB 10.0.0.0/25 * 10.0.1.0/25 * * Outbound Allow 600
App-Internet 10.0.0.0/25 * INTERNET * * Outbound Deny 601
Allow VNET Inbound Virtual_Network * Virtual_Network * * Inbound Allow 65000
Allow Azure Internal Load Balancer Inbound Azure_LoadBalancer * * * * Inbound Allow 65001
Deny All Inbound * * * * * Inbound Deny 65500
Allow VNET Outbound Virtual_Network * Virtual_Network * * Outbound Allow 65000
Allow Internet Outbound * * INTERNET * * Outbound Allow 65001
Deny All Outbound * * * * * Outbound Deny 65500

Azure DB NSG Rules Table

Name Source IP Source Port Destination IP Destination Port Prot Type Action Priority
App-DB 10.0.0.0/25 * 10.0.1.0/25 * * Inbound Allow 348
USVNET-App 192.168.0.0/20 * 10.0.1.0/25 * * Inbound Deny 400
EUVNET-App 172.16.0.0/16 * 10.0.1.0/25 * * Inbound Deny 401
DB-DMZ 10.0.1.0/25 * 10.0.2.0/25 * * Outbound Deny 500
DB-App 10.0.1.0/25 * 10.0.0.0/25 * * Outbound Allow 600
DB-Internet 10.0.0.0/25 * INTERNET * * Outbound Deny 601
Allow VNET Inbound Virtual_Network * Virtual_Network * * Inbound Allow 65000
Allow Azure Internal Load Balancer Inbound Azure_LoadBalancer * * * * Inbound Allow 65001
Deny All Inbound * * * * * Inbound Deny 65500
Allow VNET Outbound Virtual_Network * Virtual_Network * * Outbound Allow 65000
Allow Internet Outbound * * INTERNET * * Outbound Allow 65001
Deny All Outbound * * * * * Outbound Deny 65500

Tables above will give us some ideas how to plan our Azure NSGs in order to establish our Security Zones.

Get Started using NSGs!

At the time this post was written, NSG is exposed only through PowerShell and REST API. To use PowerShell, we need version 0.8.10 of the Azure PowerShell module.

The commands are as follow:

  • Get-AzureNetworkSecurityGroup
  • Get-AzureNetworkSecurityGroupConfig
  • Get-AzureNetworkSecurityGroupForSubnet
  • New-AzureNetworkSecurityGroup
  • Remove-AzureNetworkSecurityGroup
  • Remove-AzureNetworkSecurityGroupConfig
  • Remove-AzureNetworkSecurityGroupFromSubnet
  • Remove-AzureNetworkSecurityRule
  • Set-AzureNetworkSecurityGroupConfig
  • Set-AzureNetworkSecurityGroupToSubnet
  • Set-AzureNetworkSecurityRule

Here are some examples:

Personally I will be recommending Azure NSG for every Azure Production deployment I perform in future!

Leave a comment below or contact us if you have any questions regarding Azure especially in more complex Enterprise scenarios.

www.wasita.net

Category:
Architecture, Azure Infrastructure, Cloud Infrastructure, Security, Strategy, Technology
Tags:
, , , , , , , , , , , ,

Join the conversation! 20 Comments

  1. Perfect, I’ll be using this tomorrow to replace my 2 cloud service and ACL based DMZ

    • This is a great start trying to get acclimated to NSG configuration parameters. Could we expand on this to include load balancers and all the commands to create the outline environment?

      • Hi Mike,

        You can create your Load Balancers subnet for example: 10.0.3.0/25. And then you can create NSG Load Balancers subnet for example and then you can configure your rules there.
        Hope it gives some ideas

  2. Excellent, however one thing i’m unsure on if you can assist is do you need to put in Inbound and Outbound rules manually? Will it co-match the rules thereby negating the need to put in loads of inbound and outbound rules?

    • Hi James,

      What you can do to minimize mundane manual tasks creating NSG rules is using PowerShell to automate.

      Simple example:
      I created App1 NSG with all the rules. Now I want to create App2 NSG with the same rules. I can use the same script and change the Get-AzureNetworkSecurityGroup -Name “App1” instead of “App1” ; I will use $Name instead.

      Then I can do Import-CSV style or $name = Read-Host -Prompt ‘NSG Name:’

      Hope it gives some ideas

  3. I’m getting really confused with my rules… I have two subnets call them web and office.
    web -office only SQL and AD ports
    Office to Web open fine…
    in the WEB NSG i have Outbound
    WEB SQL Allow 10.1.1.0/25 1443 10.1.10.0/25 1443 TCP Allow 341
    WEB_Office Deny 10.1.1.0/25 * 10.1.10.0./25 * TCP DENY 600
    and the normal rules

    i haven’t created a Office NSG yet therefore should be allowing all?

    which does deny all except ping however it doesn’t allow SQL through either??

    any thoughts

    • @James : Defining outbound NSG rule is a bit tricky. So by default it will allow outbound to :
      1. Internet
      2. Comm to other subnets within your VPC

      My suggestion will be: Take a top to bottom approach ; inbound to outbound approach.
      Define what’s your strategy first and define your inbound rules first before creating your outbound. If you can secure your subnets using inbound only, even better. Usually I will block all outbound Internet connection except the DMZ and use all inbound rules before using outbound rules.

      I won’t be able to help with your NSG in detail but ping is using ICMP not TCP

  4. This is great, but have a few questions.
    1. could this setup be PCI compliant?
    2. can this be done between vnet or have to be all in 1 vnet.
    3. so you can do egress filtering on traffic to the internet.
    4. can this be done at a machine level not network level?
    THANKS!!!

    • Scott, here we go:

      1) It depends on what “PCI compliant” actually means in this context. This is a fairly wide area so it would be good if you have a specific area you are referring to.
      2) At the moment NSGs are bound to a single VNet.
      3) Yes. The default INTERNET tag can be used to filter traffic to / from non-VNet sources.
      4) Yes. You can apply an NSG at a Machine or Subnet level – call Get-AzureVM first and pipe to Set-AzureNetworkSecurityGroupConfig to apply to a VM (see the usage samples here on the announcement post).

  5. We observed a strange behaviour: Ping to a server in a subnet with an NSG only allowing HTTPS (443) as incoming traffic is not possible. That is ok and correct. When then adding a rule that allows any incoming traffic (source address * and source port * and protocol *) Ping is possible. When removing the “any incoming traffic” rule ping remains possible. Any idea why? And any idea how to create a rule for ping?

    • It can take a little while for the NSG to propagate to the hosts in the subnet so it might be worth waiting for a while and then checking again. I’d recommend you check the default rules for a new subnet by using the Get-AzureNetworkSecurityGroup Cmdlet and pass it the -Detailed Flag (see example at bottom of the page linked to). Then run the same for your modified NSG and see what differences there are. You can then remove any rules that shouldn’t be there.

      • Thanks for your answer. I’m confused after removing the complete NSG from the subnet pinging is still possible (when there was a “allow all” rule before), buta fter rebooting the server pinging was stopped.

  6. I understand that NSG allows for basic access control lists but what is your recommendation if you want to have packet inspection (ie a real firewall)?

  7. Hi Andreas

    Fantastic blog… 🙂

    I am trying to replicate using;
    #Create a Network Security Group
    New-AzureNetworkSecurityGroup -Name “PER_NSG” -Location “West Europe” -Label “Perimeter NSG H3QA1 Net”
    #Add, Update Rules to a NSG
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Set-AzureNetworkSecurityRule -Name HTTPInternet-DMZ -Type Inbound -Priority 347 -Action Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘10.4.2.0/24′ -DestinationPortRange ’80’ -Protocol TCP
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Set-AzureNetworkSecurityRule -Name HTTPSInternet-DMZ -Type Inbound -Priority 349 -Action Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘10.4.2.0/24’ -DestinationPortRange ‘443’ -Protocol TCP
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Set-AzureNetworkSecurityRule -Name RDPInternet-DMZ -Type Inbound -Priority 345 -Action Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘62970’ -DestinationAddressPrefix ‘10.4.2.0/24’ -DestinationPortRange ‘62970’ -Protocol TCP
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Set-AzureNetworkSecurityRule -Name RDP2Internet-DMZ -Type Inbound -Priority 344 -Action Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘59887’ -DestinationAddressPrefix ‘10.4.2.0/24’ -DestinationPortRange ‘59887’ -Protocol TCP
    #Associate a NSG to a subnet
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName ‘H3QA1’ -SubnetName ‘A-H2PE01’

    but…after running the script

    1. Cannot telnet to port 80 or 443
    2. RDP to my VM stops

    when I;
    #Remove a NSG from the subnet
    Get-AzureNetworkSecurityGroup -Name “PER_NSG” | Remove-AzureNetworkSecurityGroupFromSubnet -VirtualNetworkName ‘H3QA1’ -SubnetName ‘A-H2PE01’

    I can RDP to my VM’s

    Can you help?

  8. Ah! Fixed. Silly me, the RDP port number is 3389!

  9. I am using azure backup services for my servers in azure. And I have
    applied NSG to the subnet and blocked the INTERNET where my VMs are deployed.

    But azure backup extension need access to azure datacenter IPs
    for successful backup.I have downloaded IPs from this link

    http://www.microsoft.com/en-us
    .Microsoft recommend to create a rule in
    NSG and allow the access to all IPs from server.

    I am using this rule: Get-AzureNetworkSecurityGroup -Name
    “AZURE_BACKUP” | Set-AzureNetworkSecurityRule -Name “Allow
    internet” -Type Outbound -Priority 347 -Action Allow -SourceAddressPrefix
    ‘10.0.0.0/29’ -SourcePortRange ‘*’
    -DestinationAddressPrefix ‘??????’ -DestinationPortRange ‘*’ -Protocol ‘*’.

    But the problem is that I don’t want to run this command for hundred of times
    as there are hundreds of IPs are there.I want to run this command once and it
    fetch all the IPs from xml file and allow access to following IPs.

    Is it possible.

    • Ronit, theoretically you could script the creation of the rules based on an input CSV, however you should be aware that there is limit of 200 rules per NSG and you can only associate 1 NSG with a subnet, VM or NIC at once. There’s no easy solution to your situation using NSGs if you are blanket blocking all ports bound the Internet. VPN and / or ExpressRoute would provide alternative routes to public Azure endpoints but they may not play a part if your environment. As NSGs are relatively new hopefully we’ll see some ability to allow traffic to Azure IPs using a Tag. In the meantime perhaps you want to look at standing up a virtual firewall appliance and using UDR and IP Forwarding to force traffic via that and utilise it to achieve what you are today with NSGs.

  10. Nice post. Thanks for sharing this informative post

Comments are closed.