Network Security Group

 

https://www.greatminditacademy.com/




 

Azure Network Security groups

  • Azure Network Security Groups (NSG) can be used to filter network traffic to azure resources
  • NSG contains security rules that allow or deny in bound traffic and outbound traffic

  • Every NSG has security rules. Each Security rule has the following properties
    • Name
    • Priority: This is number b/w 100 and 4096
    • Source: Individual IP or Any or cidr range of the source
    • Destination: Individual IP or Any or cidr range of the destination
    • Protocol: TCP, UDP, ICMP or Any
    • Direction: Inbound or outbound
    • Port Range: Which ports you want to apply the traffic to
    • Action: allow or deny
  • Lets create a network security group in Azure
    • Create a resource group
    • Create a nsg
  • Every NSG has security rules. Each Security rule has the following properties
    • Name
    • Priority: This is number b/w 100 and 4096
    • Source: Individual IP or Any or cidr range of the source
    • Destination: Individual IP or Any or cidr range of the destination
    • Protocol: TCP, UDP, ICMP or Any
    • Direction: Inbound or outbound
    • Port Range: Which ports you want to apply the traffic to
    • Action: allow or deny
  • Lets create a network security group in Azure
    • Create a resource group
    • Create a nsg




 


  • The NSG which we create already has some security rules which are referred as default security rules
  • These default security rules
    • allows all of the traffic outbound (from Azure Resource to anywhere)
    • allows all of the traffic within virtual network inbound (b/w azure resources in a vnet)
    • allows all communication from AzureLoadbalancer to Azure resource in a vnet
LAB Practice: Create a network security group which
  • allows ping and http (tcp port 80 ) communication from any where
  • allow tcp port 3306 from 100.120.200.220
  • denies tcp port 3306 from anywhere


Next steps?
  • Whey space in numbering in rules
  • nsg can be applied to subnets as well
  • consider one enterprise architecture and design nsg
  • Why to leave numbers b/w security rules
  • Security rules in nsg have priority from 100 to 4096.
  • Generally its a good practice to leave some numbers b/w security rules. The reason for that is to accomodate changes in the future
  • Consider this nsg


  • NSG can be applied to the subnet as well.
  • Lets try to create the network, subnets and NSG for the architecture shown below




Now lets try to create nsg rule for subnet Application Gateway
  • So that only port 443 and 80 is allowed from internet


Now lets apply this NSG to Application Gateway Subnet







 


Now lets try to create a NSG for Management subnet which
  • allows 3389 port from anywhere (ideally this would be your organization n/w range)




  • If there is contradicting rule one says allow and the other says deny in nsg associated with nic and nsg associated with subnet, deny always wins
  • Lets look at this scenario




 
  • Create a nsg rule for subnet3
    • allow all connections from subnet1 cidr range
    • deny all connections from subnet2 cidr range
 

Comments

Post a Comment

Popular posts from this blog

Azure Storage Accounts

Image
  https://www.greatminditacademy.com/ Azure Storage Accounts In this blog, I have covered important topics on Azure Storage accounts What is Azure Storage Account? An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS. Data in your storage account is durable and highly available, secure, and massively scalable.By using azure storage account, we dont need to worry about space as it is scalable as per our demand. Storage Account Types. Accessible via REST API: Queue Storage, BlobStorage, Table storage Designed for AZVM : File storage and Disk Storage Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Type of storage account Supported storage services Redundancy options Usage Standard general-purpos...
Read more

Azure Site Recovery

Image
  https://www.greatminditacademy.com/              What is Azure Site Recovery A Business continiuity and disaster recovery (BCDR) strategy helps organization secure data, applicaitons,and workloads during planned or unplanned outages. To help organizations implement BCDR, Azure provides Azure Site Recovery (ASR). ASR ensures business continitury during outages by replicating applications and workloads from their primary location to a secondary site. Basically the service replicates the workloads running in your VMs to a different location   from the primary site.  post covers  DR architectures : Features of Azure Site Recovery Azure Site recovery Step by Step How do I set up Azure Site Recovery Azure Site Recovery ARchitecture Asr provides support for several migration and disaster recovery  Scenarios: Replicating Physical servers from on-premises data centers and other cloud providers to Azure replicating Virtual machine...
Read more

Application Gateway

Image
  https://www.greatminditacademy.com/ What is Azure Application Gateway? Azure Application Gateway is a load balancing solution provided by  Microsoft Azure . This web traffic load balancer works on Layer 7 of  the OSI model  and enables you to manage traffic for your web applications.  Azure Application Gateway makes routing decisions based on  URI path or host headers. Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. Azure Application Gateway is a helpful tool for web traffic managers. For example, you can route traffic based on the incoming URL. If /Images or /Videos are in the URL, then you can route to the specific set of servers configured for Images or Videos. It can also be used for SSL or TLS termination as well. Azure Application Gateway features Secure Sockets Layer (SSL/TLS) termination Autoscaling Zone redundancy Static VIP Before...
Read more