Secure Azure Infra – 3:Securing Azure Networking

To support the migration, Contoso have configured a single virtual network and subnet in Azure. At the moment, the virtual machines and subnet are completely unprotected from a network point of view; there is no access list or firewall capability in place and the VMs are fully accessible on every port from the Internet.

In this section, we are going to implement Network Security Groups (NSGs) to allow only TCP port 80 into our virtual machines – NSGs are a feature native to Azure that allows a user to lock down network access to a virtual machine or subnet from certain IP addresses and ports.

1) In the Azure portal, navigate to the ‘Contoso-IaaS’ resource group. Click ‘Add’ and then search for ‘Network Security Group’ from the marketplace. Choose Network Security Group and then click ‘Create’.

2) Name the NSG Contoso-NSG and make sure the correct resource group is selected.

3) Once the NSG has been created, navigate to it in the portal.

4) You should see a list of default rules that have been applied to the NSG, as shown in Figure 12. These rules allow access from other virtual networks, access to the Internet, as well as denying all other traffic.

Default NSG Rules

Figure 12: Default NSG Rules

5) We need to add a rule allowing HTTP through the NSG. Click on ‘Inbound Security Rules’ on the menu, followed by ‘Add’.

6) Fill in the details as follows:

Destination Port Ranges: 80 Name: Allow-HTTP Protocol: TCP

Leave all other values at their defaults. Your rule should look the same as shown in Figure 13. Click OK.

Contoso NSG Rule

Figure 13: Contoso-NSG Rule

7) The next step is to apply this rule to the environment. There are two methods for applying an NSG – directly to a virtual machine, or to the entire subnet. In this scenario, we’ll apply the NSG to our virtual machines individually – generally, it is recommended to apply an NSG to a subnet, however we are going to apply it to our VMs as the next lab requires this.

8) Click on ‘Network Interfaces’ from the menu.

9) Click ‘Associate’. Select ‘VM1-nic’ and click OK. Repeat the process for VM2-nic, VM3-nic and VM4-nic.

10) Now that the NSG has been applied, let’s make sure we can still access our website. From the Azure portal, click on the ‘VM1-PIP’ resource within the ‘Contoso-IaaS’ resource group. Copy the IP address and then attempt to browse to it. You should still have access to the website.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *