Shawn Ismail, profile picture
Uploaded byShawn Ismail
PPTX, PDF5,551 views

Azure Network Security Groups (NSG)

The document covers an overview of Azure security, specifically focusing on Azure Network Security Groups (NSGs) and their configuration for managing inbound and outbound traffic in virtual networks. It details the importance of cloud security, customer expectations from cloud providers, and provides examples and PowerShell commands to create and manage NSGs effectively. Key points include the construction of NSGs, default rules, and best practices for applying NSGs to subnets, virtual machines, and network interfaces.

Embed presentation

Downloaded 411 times
SHAWN ISMAIL My twitter is @shawnismail, my blog is at http://cloudranger.net and I work at ARCHITECT | CONSULTANT | GENEROUS
WHAT WE WILL TALK ABOUT TODAY… 1.Overview of Azure security 2.Azure Network Security Groups (NSG) 3.Demo of NSGs in action
Cloud adaptability is strongly tied to Cloud Security IN CLOUD WHERE WE ARE TODAY? • IT is playing an increasingly important role in driving business strategy since the emergence of cloud • Still many CIOs hesitate to fully embrace cloud-first approach • Large-scale data breaches dominated headlines in 2014- 2015
Cloud adaptability is strongly tied to Cloud Security WHAT CUSTOMERS WANT FROM CLOUD PROVIDERS • Secure our data • Keep our data private • Give us control • Promote transparency • Maintain compliance MICROSOFTCLOUDINFRASTRUCTURE SUPPORTS1BILLIONCUSTOMERS, 140 COUNTRIES, 10LANGUAGESAND24 CURRENCIES
The logical isolations; Software Defined Networking (SDN) takes a lead AZURE NETWORK PROTECTION • Network Isolation • Virtual Networks • VPN and Express Route IFYOU’RERESISTING THECLOUD BECAUSEOFSECURITY CONCERNS, YOU’RERUNNING OUTOFEXCUSES
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 SUBSCRIPTION VNET SUBNET SUBNET VNET VNET
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Virtual Network (MyVNET2) WFE2 DC2 SQL2
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7 Virtual Network (MyVNET2) WFE2 DC2 SQL2 Address Space: 10.2.0.0/16 MySubnet2: 10.2.0.0/24 (10.2.0.0 - 10.2.0.255) 10.2.0.5 10.2.0.6 10.2.0.7
Multiple subnets in a VNet AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255)10.1.1.5 10.1.1.6 10.1.1.7 FS1 EX1 MySubnet2: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.2.5 10.1.2.6
Azure Network Security Groups WHAT ARE AZURE NSGS? NSGs are used to control inbound and outbound access to Subnets, VMs and network interfaces (NICs). NSGs are not Endpoint ACLs! Each NSG contains one or more rules Each rule determines if a traffic is Approved or Denied Approval and Denial in each rule is based on source IP address, source port, destination IP address, and destination port Rules have priorities There are some Default rules in each NSG when they are created
Azure Network Security Groups Construct NSG CONSTRUCT Every NSG has a: Name Location Resource Group Name Create NSG in PowerShell: New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
Azure Network Security Groups Rule Construct NSG RULE CONSTRUCT A rule specifies the following: Name: A unique identifier for the rule Direction: Inbound/Outbound Priority: Access: Allow/Deny Source IP Address: CIDR of source IP or IP range Source Port Range: Destination IP Range: CIDR of the destination IP or IP Range Destination Port Range: Protocol: TCP/UPP/Both Description: PowerShell: Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" - DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
Azure Network Security Groups Default Rules NSG DEFAULT RULES NSGs have default rules Default rules cannot be deleted Default rules have the lowest priority Can be easily overwritten by higher priority rules
Azure Network Security Groups Default Rules NSG DEFAULT RULES Notice the Default Tags
Where to apply an NSG is based on individual requirements WHERE CAN AN NSG BE APPLIED? Apply/Associate NSG to a Subnet Apply/Associate NSG to an individual VM Apply/Associate NSG to a NIC Your organization may create a best practice that works for you
OUR SCENARIO MyBESubnet: 1. Inbound- Allow all traffic from MyFESubnet to MyDC1 2. Inbound - Allow only traffic from MyFESubnet to MySQL1 on Port 1433 3. Outbound - Deny all traffic to INTERNET Virtual Network (MyVNET1) MyWFE1 MyDC1 MySQL1 Address Space: 10.1.0.0/16 MyFESubnet: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.1.4 MyBESubnet: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255) 10.1.2.4 10.1.1.5 MyFESubnet: 1. Inbound - Allow all traffic from MyBESubnet 2. Inbound - Only allow INTERNET traffic on port 80 to MyWFE1
Thank You! Organizers, SponsorsandYouformakingthispossible. MoreSlidesAt Slideshare.Net/shawnismail MoreFreeAzureVideosAt CloudRanger.net MoreProfessionalHelpAt 2toLead.com Message Me On LinkedIn or Email shawn@2toLead.com ARCHITECT | CONSULTANT | GENEROUS My twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
ARCHITECT | CONSULTANT | GENEROUS Appendix Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Create NSG New-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyBESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyDC1-MyFESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.4" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyFESubnet to MyDC1" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-MyFESubnet-P1433" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.5" -DestinationPortRange "1433" -Protocol "*" -Description "Allow traffic from MyFESubnet on port 1433 to MySQL1" # Deny Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyFESubnet-MyBESubnet" -Direction Inbound -Priority 2000 -Access Deny -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Deny all inbound traffic from MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET" -Direction Outbound -Priority 2001 -Access Deny -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "INTERNET" -DestinationPortRange "*" -Protocol "*" -Description "Deny all Outbound traffic to the Internet" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Remove-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET"
ARCHITECT | CONSULTANT | GENEROUS Appendix A Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Ceate NSG New-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" - SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" - DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
ARCHITECT | CONSULTANT | GENEROUS Appendix B Run to listen to a port on a server A: $Listener = [System.Net.Sockets.TcpListener]1433 $Listener.Start() $Listener.AcceptTcpClient() Run on Server B to connect client to server A: (new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)

More Related Content

PDF
Understanding Azure Networking Services
byInCycleSoftware
 
PPTX
PPT Azure Firewall vs 3rd Party NVA Comparison v1.0.pptx
byFadhilMuhammad80
 
PPTX
A Deepdive into Azure Networking
byKarim Vaes
 
PPTX
Azure WAF
byCheah Eng Soon
 
PDF
Azure Service Endpoints vs. Private Links
byMatthias Güntert
 
PPTX
Let's Talk About: Azure Networking
byPedro Sousa
 
PPTX
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
PDF
Az 104 session 6 azure networking part2
byAzureEzy1
 
Understanding Azure Networking Services
byInCycleSoftware
 
PPT Azure Firewall vs 3rd Party NVA Comparison v1.0.pptx
byFadhilMuhammad80
 
A Deepdive into Azure Networking
byKarim Vaes
 
Azure WAF
byCheah Eng Soon
 
Azure Service Endpoints vs. Private Links
byMatthias Güntert
 
Let's Talk About: Azure Networking
byPedro Sousa
 
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
Az 104 session 6 azure networking part2
byAzureEzy1
 

What's hot

PPTX
Azure Networking (1).pptx
byRazith2
 
PPTX
Microsoft Azure Technical Overview
bygjuljo
 
PPTX
Introduction to Microsoft Azure
byKasun Kodagoda
 
PPTX
Azure vnet
byzekeLabs Technologies
 
PDF
Microsoft Azure Fundamentals
byAdwait Ullal
 
PDF
Microsoft Azure Active Directory
byDavid J Rosenthal
 
PDF
Az 104 session 5: Azure networking
byAzureEzy1
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
PDF
Azure Site Recovery - BC/DR - Migrations & assessments in 60 minutes!
byJohan Biere
 
PDF
Azure Security Overview
byDavid J Rosenthal
 
PPTX
Azure Identity and access management
byDinusha Kumarasiri
 
PDF
Introduction to Azure
byRobert Crane
 
PDF
Microsoft Azure Overview
byDavid J Rosenthal
 
PDF
Introduction to Microsoft Azure Cloud
byDinesh Kumar Wickramasinghe
 
PDF
Az 104 session 3 azure compute
byAzureEzy1
 
PPTX
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
bysayyedghazali
 
PDF
Azure 101
byKorry Lavoie
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PPTX
Introduction to Microsoft Azure
byGuy Barrette
 
PDF
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 
Azure Networking (1).pptx
byRazith2
 
Microsoft Azure Technical Overview
bygjuljo
 
Introduction to Microsoft Azure
byKasun Kodagoda
 
Azure vnet
byzekeLabs Technologies
 
Microsoft Azure Fundamentals
byAdwait Ullal
 
Microsoft Azure Active Directory
byDavid J Rosenthal
 
Az 104 session 5: Azure networking
byAzureEzy1
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
Azure Site Recovery - BC/DR - Migrations & assessments in 60 minutes!
byJohan Biere
 
Azure Security Overview
byDavid J Rosenthal
 
Azure Identity and access management
byDinusha Kumarasiri
 
Introduction to Azure
byRobert Crane
 
Microsoft Azure Overview
byDavid J Rosenthal
 
Introduction to Microsoft Azure Cloud
byDinesh Kumar Wickramasinghe
 
Az 104 session 3 azure compute
byAzureEzy1
 
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
bysayyedghazali
 
Azure 101
byKorry Lavoie
 
Microsoft Azure Security Overview
byAlert Logic
 
Introduction to Microsoft Azure
byGuy Barrette
 
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 

Similar to Azure Network Security Groups (NSG)

PPTX
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
PPTX
Network security group by Bhawna vishwakarma
byHeartless24
 
PPTX
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
PPTX
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
byThuan Ng
 
PPTX
Trust No-One Architecture For Services And Data
byAidan Finn
 
PPTX
Securing your cloud perimeter with azure network security brk3185
byjtaylor707
 
PDF
Global Azure Bootcamp 2018 - Azure Network Security
byScott Hoag
 
PPTX
Securely Publishing Azure Services
byBizTalk360
 
PDF
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
PDF
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
byPriyanka Aash
 
PDF
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
byPriyanka Aash
 
PDF
Securing Azure Sql Server
byMitesh Chauhan
 
PDF
Networking deep dive
byJeroen Niesen
 
PPTX
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
bykreshenka
 
PPTX
Segmentation on azure platform
byRachata Watthanawong
 
PPTX
AzureSecurity - Day2 - Azure Network Security
by2nd Sight Lab
 
PDF
An Azure Primer for the AWS Solution Architect - DevOps West 2020
byDerek Ashmore
 
PDF
Experts Live Norway - Azure Infrastructure Security
byTom Janetscheck
 
PPTX
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
DOCX
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
Network security group by Bhawna vishwakarma
byHeartless24
 
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
byThuan Ng
 
Trust No-One Architecture For Services And Data
byAidan Finn
 
Securing your cloud perimeter with azure network security brk3185
byjtaylor707
 
Global Azure Bootcamp 2018 - Azure Network Security
byScott Hoag
 
Securely Publishing Azure Services
byBizTalk360
 
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
byPriyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
byPriyanka Aash
 
Securing Azure Sql Server
byMitesh Chauhan
 
Networking deep dive
byJeroen Niesen
 
ciplaasfqewfefewtwegndkvndsgjbsdz-dfafd.pptx
bykreshenka
 
Segmentation on azure platform
byRachata Watthanawong
 
AzureSecurity - Day2 - Azure Network Security
by2nd Sight Lab
 
An Azure Primer for the AWS Solution Architect - DevOps West 2020
byDerek Ashmore
 
Experts Live Norway - Azure Infrastructure Security
byTom Janetscheck
 
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
AZ500 Secure Networking. and how things are implemented
bybharat4704
 

More from Shawn Ismail

PPTX
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
byShawn Ismail
 
PPTX
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
byShawn Ismail
 
PPTX
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
byShawn Ismail
 
PPTX
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
byShawn Ismail
 
PPTX
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
byShawn Ismail
 
PPTX
Exam 70-533 Module 0-Lesson 1 - About this course
byShawn Ismail
 
PPTX
48. Azure Active Directory - Part 1
byShawn Ismail
 
PPTX
Session 44 - Azure SQL Database - Part 1 - Introduction
byShawn Ismail
 
PPTX
Session 39 azure storage - part 2 - blob storage and security
byShawn Ismail
 
PPTX
Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...
byShawn Ismail
 
PPTX
Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...
byShawn Ismail
 
PPTX
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
byShawn Ismail
 
PPTX
Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)
byShawn Ismail
 
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
byShawn Ismail
 
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
byShawn Ismail
 
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
byShawn Ismail
 
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
byShawn Ismail
 
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
byShawn Ismail
 
Exam 70-533 Module 0-Lesson 1 - About this course
byShawn Ismail
 
48. Azure Active Directory - Part 1
byShawn Ismail
 
Session 44 - Azure SQL Database - Part 1 - Introduction
byShawn Ismail
 
Session 39 azure storage - part 2 - blob storage and security
byShawn Ismail
 
Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...
byShawn Ismail
 
Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...
byShawn Ismail
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
byShawn Ismail
 
Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)
byShawn Ismail
 

Recently uploaded

PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 

Azure Network Security Groups (NSG)

  • 2.
    SHAWN ISMAIL My twitter is@shawnismail, my blog is at http://cloudranger.net and I work at ARCHITECT | CONSULTANT | GENEROUS
  • 3.
    WHAT WE WILLTALK ABOUT TODAY… 1.Overview of Azure security 2.Azure Network Security Groups (NSG) 3.Demo of NSGs in action
  • 4.
    Cloud adaptability isstrongly tied to Cloud Security IN CLOUD WHERE WE ARE TODAY? • IT is playing an increasingly important role in driving business strategy since the emergence of cloud • Still many CIOs hesitate to fully embrace cloud-first approach • Large-scale data breaches dominated headlines in 2014- 2015
  • 5.
    Cloud adaptability isstrongly tied to Cloud Security WHAT CUSTOMERS WANT FROM CLOUD PROVIDERS • Secure our data • Keep our data private • Give us control • Promote transparency • Maintain compliance MICROSOFTCLOUDINFRASTRUCTURE SUPPORTS1BILLIONCUSTOMERS, 140 COUNTRIES, 10LANGUAGESAND24 CURRENCIES
  • 6.
    The logical isolations;Software Defined Networking (SDN) takes a lead AZURE NETWORK PROTECTION • Network Isolation • Virtual Networks • VPN and Express Route IFYOU’RERESISTING THECLOUD BECAUSEOFSECURITY CONCERNS, YOU’RERUNNING OUTOFEXCUSES
  • 7.
    A representation ofyour own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 SUBSCRIPTION VNET SUBNET SUBNET VNET VNET
  • 8.
    A representation ofyour own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Virtual Network (MyVNET2) WFE2 DC2 SQL2
  • 9.
    A representation ofyour own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7
  • 10.
    A representation ofyour own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7 Virtual Network (MyVNET2) WFE2 DC2 SQL2 Address Space: 10.2.0.0/16 MySubnet2: 10.2.0.0/24 (10.2.0.0 - 10.2.0.255) 10.2.0.5 10.2.0.6 10.2.0.7
  • 11.
    Multiple subnets ina VNet AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255)10.1.1.5 10.1.1.6 10.1.1.7 FS1 EX1 MySubnet2: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.2.5 10.1.2.6
  • 12.
    Azure Network SecurityGroups WHAT ARE AZURE NSGS? NSGs are used to control inbound and outbound access to Subnets, VMs and network interfaces (NICs). NSGs are not Endpoint ACLs! Each NSG contains one or more rules Each rule determines if a traffic is Approved or Denied Approval and Denial in each rule is based on source IP address, source port, destination IP address, and destination port Rules have priorities There are some Default rules in each NSG when they are created
  • 13.
    Azure Network SecurityGroups Construct NSG CONSTRUCT Every NSG has a: Name Location Resource Group Name Create NSG in PowerShell: New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
  • 14.
    Azure Network SecurityGroups Rule Construct NSG RULE CONSTRUCT A rule specifies the following: Name: A unique identifier for the rule Direction: Inbound/Outbound Priority: Access: Allow/Deny Source IP Address: CIDR of source IP or IP range Source Port Range: Destination IP Range: CIDR of the destination IP or IP Range Destination Port Range: Protocol: TCP/UPP/Both Description: PowerShell: Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" - DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
  • 15.
    Azure Network SecurityGroups Default Rules NSG DEFAULT RULES NSGs have default rules Default rules cannot be deleted Default rules have the lowest priority Can be easily overwritten by higher priority rules
  • 16.
    Azure Network SecurityGroups Default Rules NSG DEFAULT RULES Notice the Default Tags
  • 17.
    Where to applyan NSG is based on individual requirements WHERE CAN AN NSG BE APPLIED? Apply/Associate NSG to a Subnet Apply/Associate NSG to an individual VM Apply/Associate NSG to a NIC Your organization may create a best practice that works for you
  • 18.
    OUR SCENARIO MyBESubnet: 1. Inbound-Allow all traffic from MyFESubnet to MyDC1 2. Inbound - Allow only traffic from MyFESubnet to MySQL1 on Port 1433 3. Outbound - Deny all traffic to INTERNET Virtual Network (MyVNET1) MyWFE1 MyDC1 MySQL1 Address Space: 10.1.0.0/16 MyFESubnet: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.1.4 MyBESubnet: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255) 10.1.2.4 10.1.1.5 MyFESubnet: 1. Inbound - Allow all traffic from MyBESubnet 2. Inbound - Only allow INTERNET traffic on port 80 to MyWFE1
  • 19.
    Thank You! Organizers, SponsorsandYouformakingthispossible. MoreSlidesAtSlideshare.Net/shawnismail MoreFreeAzureVideosAt CloudRanger.net MoreProfessionalHelpAt 2toLead.com Message Me On LinkedIn or Email shawn@2toLead.com ARCHITECT | CONSULTANT | GENEROUS My twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
  • 20.
    ARCHITECT | CONSULTANT| GENEROUS Appendix Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Create NSG New-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyBESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyDC1-MyFESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.4" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyFESubnet to MyDC1" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-MyFESubnet-P1433" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.5" -DestinationPortRange "1433" -Protocol "*" -Description "Allow traffic from MyFESubnet on port 1433 to MySQL1" # Deny Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyFESubnet-MyBESubnet" -Direction Inbound -Priority 2000 -Access Deny -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Deny all inbound traffic from MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET" -Direction Outbound -Priority 2001 -Access Deny -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "INTERNET" -DestinationPortRange "*" -Protocol "*" -Description "Deny all Outbound traffic to the Internet" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Remove-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET"
  • 21.
    ARCHITECT | CONSULTANT| GENEROUS Appendix A Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Ceate NSG New-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" - SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" - DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
  • 22.
    ARCHITECT | CONSULTANT| GENEROUS Appendix B Run to listen to a port on a server A: $Listener = [System.Net.Sockets.TcpListener]1433 $Listener.Start() $Listener.AcceptTcpClient() Run on Server B to connect client to server A: (new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)