Cloud & Networking
Reader small image

You're reading from  Azure Networking Cookbook, Second Edition - Second Edition

Product typeBook
Published inDec 2020
PublisherPackt
ISBN-139781800563759
Edition2nd Edition
Tools
Azure
Concepts
Networking
Right arrow
Author (1)
Mustafa Toroman
Mustafa Toroman
author image
Mustafa Toroman

Mustafa Toroman is a solution architect focused on cloud-native applications and migrating existing systems to the cloud. He is very interested in DevOps processes and cybersecurity, and he is also an Infrastructure as Code enthusiast and DevOps InstituteAmbassador. Mustafa often speaks at international conferences about cloud technologies. He has been an MVP for Microsoft Azure since 2016 and a C# Corner MVP since 2020. Mustafa has also authored several books about Microsoft Azure and cloud computing, all published by Packt.
Read more about Mustafa Toroman

Right arrow

3. Network Security Groups

Network Security Groups (NSGs) are built-in tools for network control that allow us to control incoming and outgoing traffic on a network interface or at the subnet level. They contain sets of rules that allow or deny specific traffic to specific resources or subnets in Azure. An NSG can be associated with either a subnet (by applying security rules to all resources associated with the subnet) or a Network Interface Card (NIC), which is done by applying security rules to the Virtual Machine (VM) associated with the NIC.

We will cover the following recipes in this chapter:

  • Creating a new NSG in the Azure portal
  • Creating a new NSG with PowerShell
  • Creating a new allow rule in an NSG
  • Creating a new deny rule in an NSG
  • Creating a new NSG rule with PowerShell
  • Assigning an NSG to a subnet
  • Assigning an NSG to a network interface
  • Assigning an NSG to a subnet with PowerShell
  • Creating an Application Security Group (ASG...

Technical requirements

For this chapter, the following is required:

  • An Azure subscription
  • Azure PowerShell

The code samples can be found at https://github.com/PacktPublishing/Azure-Networking-Cookbook-Second-Edition/tree/master/Chapter03.

Creating a new NSG in the Azure portal

As a first step to more effectively control network traffic, we are going to create a new NSG.

Getting ready

Before you start, open your browser and go to the Azure portal, at https://portal.azure.com.

How to do it...

To create a new NSG using the Azure portal, we must follow these steps:

  1. In the Azure portal, select Create a resource and choose Network security group under Networking (or search for network security group in the search bar).
  2. The parameters we need to define for the deployment are Subscription, Resource group, Name, and Region. An example of the required parameters is shown in Figure 3.1:
    Creating a new NSG in the Basic tab using the Azure portal

Figure 3.1: Creating a new NSG using the Azure portal

After the deployment has been validated and started (it takes a few moments to complete), the NSG is ready for use.

How it works...

The NSG deployment can be initiated during a VM deployment. This will associate the NSG to the NIC associated with the...

Creating a new NSG with PowerShell

Alternatively, we can create an NSG using PowerShell. The advantage of this approach is that we can add NSG rules in a single script, creating custom rules right after the NSG is created. This allows us to automate the deployment process and create our own default rules right after the NSG has been created.

Getting ready

Open the PowerShell console and make sure you are connected to your Azure subscription. Refer to Chapter 1, Azure Virtual Network, for a refresher on how to do this.

How to do it...

To deploy a new NSG, execute the following command:

New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName "Packt-Networking-Script" -Location "westeurope"

How it works...

The script is using the Resource Group (RG) that was deployed in Chapter 1, Azure Virtual Network (we will use the same RG for all deployments). Otherwise, a new RG needs to be deployed prior to executing the script. The final outcome...

Creating a new allow rule in an NSG

When a new NSG is created, only the default rules are present, which allow all outbound traffic and block all inbound traffic. To change these, additional rules need to be created. First, we are going to show you how to create a new rule to allow inbound traffic.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created NSG.

How to do it...

To create a new NSG allow rule using the Azure portal, we must follow these steps:

  1. In the NSG pane, locate the Inbound security rules option under Settings.
  2. Click on the Add button at the top of the page and wait for the new pane, to open:
    Clicking on the Add button to add new inbound security rules

    Figure 3.2: Creating a new NSG allow rule using the Azure portal

  3. In the new pane, we need to provide information for the Source (location and port range), Destination (location and port range), Protocol, Action, Priority, Name, and Description fields. If you want to allow...

Creating a new deny rule in an NSG

When a new NSG is created, only the default rules are present. The default rules allow all outbound traffic and block all inbound traffic. To change this, additional rules need to be created. Now, we are going to show you how to create a new outbound rule to deny traffic.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created NSG.

How to do it...

To create a new NSG deny rule using the Azure portal, we must follow these steps:

  1. In the NSG pane, locate the Outbound security rules option under Settings.
  2. Click on the Add button at the top of the page and wait for the new pane to open:
    Clicking on the Add button to add new outbound security rules

    Figure 3.4: Creating a new NSG deny rule using the Azure portal

  3. In the new pane, we need to provide information for Source (location and port range), Destination (location and port range), Protocol, Action, Priority, Name, and Description. If you want to deny traffic...

Creating a new NSG rule with PowerShell

Alternatively, we can create an NSG rule using PowerShell. This command can be executed right after the NSG has been created, allowing us to create and configure an NSG in a single script. This way, we can standardize deployment and have rules applied each time an NSG is created.

Getting ready

Open the PowerShell console and make sure you are connected to your Azure subscription.

How to do it...

To create a new NSG rule, execute the following command:

$nsg = Get-AzNetworkSecurityGroup -Name 'nsg1' -ResourceGroupName 'Packt-Networking-Script'
$nsg | Add-AzNetworkSecurityRuleConfig -Name 'Allow_HTTPS' -Description 'Allow_HTTPS' -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 | Set-AzNetworkSecurityGroup

How it works...

Using a script, creating an NSG rule is just a matter...

Assigning an NSG to a subnet

The NSG and its rules must be assigned to a resource to have any impact. Here, you are going to see how to associate an NSG with a subnet.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created NSG.

How to do it...

To assign an NSG to a subnet, follow these steps:

  1. In the NSG pane, locate the Subnets option under Settings.
  2. Click on the Associate button at the top of the page and wait for the new pane to open:
    Clicking on the Associate button to assign an NSG to a subnet

    Figure 3.6: Assigning an NSG to a subnet

  3. In the new pane, first select the virtual network that contains the subnet you want to associate the NSG with, and then select the subnet, as seen in Figure 3.7:
    Associating the subset with the NSG

    Figure 3.7: Associating the subset with the NSG

  4. After submitting the change, the subnet will appear in a list of associated subnets:
    Displaying a list of associated subnets

Figure 3.8: A list of associated subnets

How it works...

When an NSG is associated with a...

Assigning an NSG to a network interface

Now, we are going to widen our scope and show you how to associate an NSG with a network interface.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created NSG.

How to do it...

To assign an NSG to a network interface, follow these steps:

  1. In the NSG pane, locate the Network interfaces option under Settings.
  2. Click on the Associate button at the top of the page and wait for the new pane to open:
    Clicking on the Associate button to assign the NSG to a network interface

    Figure 3.9: Assigning the NSG to a network interface

  3. Select the NIC you want to associate the NSG with from the list of those available:
    Selecting a NIC to associate with the NSG

Figure 3.10: Associating with the network interface

How it works...

When an NSG is associated with an NIC, the NSG rules will apply only to a single NIC (or a VM associated with the NIC). The NIC can be associated with only one NSG directly, but a subnet associated with an NIC can have an association...

Assigning an NSG to a subnet with PowerShell

Alternatively, we can associate an NSG using Azure PowerShell. In this recipe, we are going to show you how to associate an NSG with a subnet.

Getting ready

Open the PowerShell console and make sure you are connected to your Azure subscription.

How to do it...

To associate an NSG with a subnet, execute the following command:

$vnet = Get-AzVirtualNetwork -Name 'Packt-Script' -ResourceGroupName 'Packt-Networking-Script'
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name BackEnd
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName 'Packt-Networking-Script' -Name 'nsg1'
$subnet.NetworkSecurityGroup = $nsg
Set-AzVirtualNetwork -VirtualNetwork $vnet

How it works...

To assign an NSG using PowerShell, we need to collect information on the virtual network, subnet, and NSG. When all of the information is gathered, we can perform the association using the Set-AzVirtualNetwork...

Creating an Application Security Group (ASG)

ASGs are an extension of NSGs, allowing us to create additional rules and take better control of traffic. Using only NSGs allows us to create rules that will allow or deny traffic only for a specific source, IP address, or subnet. ASGs allow us to create better filtering and create additional checks on what traffic is allowed based on ASGs. For example, with NSGs, we can create a rule that subnet A can communicate with subnet B. If we have the application structure for it and an associated ASG, we can add resources in application groups. By adding this element, we can create a rule that will allow communication between subnet A and subnet B, but only if the resources belong to the same application.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com.

How to do it...

To create an ASG using the Azure portal, we must follow these steps:

  1. In the Azure portal, select Create...

Associating an ASG with a VM

After creating an ASG, we must associate it with a VM. After this is done, we can create rules with the NSG and ASG for traffic control.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created VM.

How to do it...

To associate an ASG with a VM, we must follow these steps:

  1. In the VM pane, locate the Networking settings.
  2. In the Networking settings, select the Application security groups tab, as shown in Figure 3.12:
    Selecting the Application security groups tab in Networking settings

    Figure 3.12: Associating an ASG with a VM

  3. In the Application security groups settings, select Configure the application security groups, as shown in Figure 3.13:
    Configuring the ASGs

    Figure 3.13: Configuring ASGs

  4. In the new pane from the list of available ASGs, select the ASG that you want to associate the VM with:
    Selecting the ASG to associate with the virtual machine

    Figure 3.14: Associating an ASG with a VM

  5. After clicking Save, it takes a few seconds to apply the changes, after which the VM will be associated...

Creating rules with an NSG and an ASG

As a final step, we can use NSGs and ASGs to create new rules with better control. This approach allows us to have better control of traffic, limiting incoming traffic not only to a specific subnet but also only based on whether or not the resource is part of the ASG.

Getting ready

Before you start, open your browser and go to the Azure portal at https://portal.azure.com. Locate the previously created NSG.

How to do it...

To create a rule using both an ASG and an NSG, we must follow these steps:

  1. In the NSG pane, find Inbound security rules. Select Add to add a new rule.
  2. For the source, select Application Security Group, and then select the ASG you want to use as the source. We also need to provide parameters for Source, Source port ranges, Destination, Destination port ranges, Protocol, Action, Priority, Name, and Description. An example is shown in Figure 3.15:
    Adding an inbound security rule by providing various parameters

Figure 3.15: Adding an inbound security rule

How...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 15
Next Chapter
You have been reading a chapter from
Azure Networking Cookbook, Second Edition - Second Edition
Published in: Dec 2020Publisher: PacktISBN-13: 9781800563759
© 2020 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Mustafa Toroman

Mustafa Toroman is a solution architect focused on cloud-native applications and migrating existing systems to the cloud. He is very interested in DevOps processes and cybersecurity, and he is also an Infrastructure as Code enthusiast and DevOps InstituteAmbassador. Mustafa often speaks at international conferences about cloud technologies. He has been an MVP for Microsoft Azure since 2016 and a C# Corner MVP since 2020. Mustafa has also authored several books about Microsoft Azure and cloud computing, all published by Packt.
Read more about Mustafa Toroman

Other recommended products

Related to this chapter

Hands-On Networking with Azure

Hands-On Networking with Azure

Customizing networks and controlling the traffic flow is becoming a must for all the modern solutions, even if these solutions exist on Azure, on-premises or a combination of both. In this book, you will learn all Azure networking solutions and spanning them across Azure and On-premises, and how to build a highly available environment by them.

BookMar 2018276 pages
Mastering Azure Security

Mastering Azure Security

Mastering Azure Security enables you to implement top-level security in your Azure tenant. With a focus on cloud security, this book will look at the architectural approach on how to design your Azure solutions to keep and enforce resources secure.

BookMay 2020262 pages
Azure PowerShell Quick Start Guide

Azure PowerShell Quick Start Guide

As an IT professional, it is important to keep up with cloud technologies and learn to manage those technologies. PowerShell is a critical tool that must be learned in order to effectively and more easily manage many Azure resources. This book is designed to teach you to leverage PowerShell to perform many day-to-day tasks in Microsoft Azure.

BookDec 2018118 pages
Microsoft Azure Administrator – Exam Guide AZ-103

Microsoft Azure Administrator – Exam Guide AZ-103

Microsoft Azure Administrator- Exam Guide AZ-103 is a complete guide that will help you master topics related to Azure administrator practices. Using this guide, you will have all the information required to ace the AZ-103 exam and become a Microsoft Azure administrator expert.

BookMay 2019452 pages
Hands-On Cloud Administration in Azure

Hands-On Cloud Administration in Azure

Cloud offers new opportunities and more and more features every day. All services hosted in local Data Centers are now available in Azure. In this book, we’ll show you how to work in Azure and how to use Azure resources to your advantage.

BookOct 2018390 pages
Learn Microsoft Azure

Learn Microsoft Azure

Microsoft Azure is a cloud computing platform that helps you build, deploy, and manage applications to overcome your business challenges. This book covers the commonly used Azure services and also explains how you effectively integrate and utilize them.

BookDec 2018354 pages
Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

Microsoft Azure Architect - Exam Guide AZ-303 is a complete guide to mastering topics related to Azure Architect practices. With detailed coverage of concepts and techniques, you’ll gain the knowledge and skills required to take and pass the AZ-303 exam and become a Microsoft Azure Architect expert.

BookDec 2020548 pages
Microsoft Azure Architect Technologies: Exam Guide AZ-300

Microsoft Azure Architect Technologies: Exam Guide AZ-300

Microsoft Azure Architect Technologies: Exam Guide AZ-300 is a complete guide that will help you master topics related to Azure architect practices. Using this guide, you will have all the information required to take the AZ-300 exam and become a Microsoft Azure Architect expert.

BookJan 2020540 pages
Azure Strategy and Implementation Guide

Azure Strategy and Implementation Guide

This book will teach you to migrate your organization’s business operations from local data centers to the Azure cloud platform and manage them to enhance overall efficiency.

BookMay 2021228 pages
Hands-On Linux Administration on Azure

Hands-On Linux Administration on Azure

This book is an ideal resource for Linux administrators who want to work on Azure as well as Microsoft professionals looking to explore open source application development. Starting with an introduction to the Azure cloud, the book covers all the concepts you need to learn to efficiently manage Linux-based workloads in Azure, right from creating an Azure account to troubleshooting.

BookFeb 2020508 pages
Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

This book focuses on skills and knowledge for provisioning and managing services in Microsoft Azure. This includes implementing infrastructure components such as virtual networks, virtual machines, containers, web and mobile apps, storage, planning and managing Azure AD and configuring Azure AD integration with on-premises Active Directory domains.

BookAug 2018516 pages
Learn Azure Administration

Learn Azure Administration

Although cloud computing has made infrastructure management much easier with PaaS and SaaS offerings, we need competent IT administrators to manage our systems efficiently. This book will be the first line of support and a source of ideas for all those specialists who want to understand how Azure changes the way of administrating an infrastructure.

BookSep 2020452 pages

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2