Azure Network Security

Azure Network Security primarily involves the use of Network Security Groups (NSGs), which consist of rules that govern inbound and outbound traffic to Azure resources within a Virtual Network (VNet).

1. Network Security Groups (NSGs)

NSGs can be applied at different levels, including:

• Subnet Level: Applies security rules to all resources within the subnet.
• VM Level: Applies security rules to a specific virtual machine.

Security Rule Properties

Each security rule in an NSG includes the following properties:

• Name: A unique identifier for the rule within the NSG.
• Priority: Security rules are processed in order of priority, with lower numbers having higher precedence.
• Source/Destination: Defines where the traffic originates or is destined to, which can include:
  • IP addresses
  • CIDR blocks
  • Service tags
  • Application Security Groups
• Protocol: Specifies the protocol (TCP, UDP, etc.) for the traffic.
• Port Range: Defines individual ports or a range of ports that the rule applies to.
• Action: Specifies whether to allow or deny the traffic.

2. Service Tags

Service tags simplify the creation of NSG rules by representing groups of IP address prefixes for Azure services. This means you don’t need to manage IP addresses manually, as Microsoft handles this.

Examples of Service Tags

• Storage: Represents the IP address space for Azure Storage services.
• SQL: Covers Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse.
• Azure Cosmos DB: Covers address prefixes for Azure Cosmos Database services.
• Azure Key Vault: Represents the address prefixes for Azure Key Vault services.
• Event Hub: Covers address prefixes for Azure Event Hub services.

3. Default Rules

When you create an NSG, several default rules are established automatically. These include:

Inbound Security Rules

• AllowVNetInbound: Allows traffic from any resources within the VNet.
• AllowAzureLoadBalancerInbound: Permits traffic originating from Azure Load Balancer to virtual machines in the NSG.
• DenyAllInbound: Denies all inbound traffic by default, except for the above exceptions.

Outbound Security Rules

• AllowVNetOutbound: Allows traffic from any resources within the VNet.
• AllowInternetOutbound: Permits outbound traffic to the Internet from the VNet.
• DenyAllOutbound: Denies all outbound traffic by default, except for the above exceptions.

4. Application Security Groups (ASGs)

ASGs enable you to manage network security policies in relation to an application’s architecture. You can group VMs into ASGs and create security rules that apply to all VMs within that group. This simplifies the management of security rules and enhances application security.

5. Configuring an NSG at Subnet and VM Level

Here’s a step-by-step guide to creating and associating an NSG with a subnet in Azure:

Step 1: Create a Network Security Group

1. Click on the Create a resource button in the Azure portal.
2. Search for Network Security Group and select it.
3. Click on the Create button.

Step 2: Fill in NSG Details

1. On the NSG creation page, select the appropriate Resource Group.
2. Enter a Name for the NSG.
3. Select the desired Region.
4. Click on Review + create to validate your inputs.

Step 3: Associate the NSG with a Subnet

1. After the NSG is created, navigate to the NSG resource.
2. Click on Subnets in the left pane.
3. Click on Add association.

Step 4: Select Virtual Network and Subnet

1. Choose the Virtual Network and Subnet you want to associate with the NSG.
2. Click on the OK button to confirm the association.

Step 5: Review Configuration

• Your NSG is now successfully associated with the selected subnet, and you can proceed to configure security rules as necessary.