0% found this document useful (0 votes)
53 views19 pages

Implement and Manage Network Security Groups: Tim Warner

Network security groups (NSGs) control network traffic to and from Azure resources by defining security rules. NSGs can be associated with subnets and network interfaces. They evaluate rules in descending priority order to allow or deny traffic. Application security groups can simplify NSG configurations by grouping related VMs. Network Watcher tools like IP flow verify and NSG flow logs help validate and monitor NSG rules. Other questions asked about consolidating NSG rules with Azure Firewall and additional layer 7 protection options in Azure.

Uploaded by

gg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
53 views19 pages

Implement and Manage Network Security Groups: Tim Warner

Network security groups (NSGs) control network traffic to and from Azure resources by defining security rules. NSGs can be associated with subnets and network interfaces. They evaluate rules in descending priority order to allow or deny traffic. Application security groups can simplify NSG configurations by grouping related VMs. Network Watcher tools like IP flow verify and NSG flow logs help validate and monitor NSG rules. Other questions asked about consolidating NSG rules with Azure Firewall and additional layer 7 protection options in Azure.

Uploaded by

gg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Implement and Manage

Network Security Groups

Tim Warner
Principal Author Evangelist, Pluralsight

@TechTrainerTim TechTrainerTim.com
Overview Implement application security groups
(ASGs)
Create and configure network security
groups (NSGs)
Validate NSG flow rules
Interpret NSG flow logs
Application Security Groups
Application Security Groups (ASGs)

Group VMs from within one VNet


Reference the ASGs in NSG rules
Can simplify your VNet traffic security
Network Security Groups
A Word About Azure Firewall Rule Precedence
RCGs in a parent policy always take
precedence over RCGs in a child policy

Highest priority RCGs are processed first

DNAT rules processed first

Network rules are processed second

Application rules are processed third


Network Security Groups (NSGs)

OSI Layer 4 traffic filter to control ingress and


egress network traffic
5-tuple security rule:
- Source & destination IP address
- Source & destination port number
- Protocol
Can be associated:
- NIC
- Subnet
Network Security Groups (NSGs)

NSGs are stateful – defining an inbound rule


does not require a matching outbound rule
Rules are evaluated in order of descending
priority
- Between 100 and 4096
Service Tags

Internet VirtualNetwork AzureLoadBalancer

GatewayManager AzureBackup Azure.Sql.EastUS


Default Network Security Rules

timw.info/ydn
Our Lab Topology
Demo
Create ASG
Define NSG
Test connectivity
Validating and Monitoring NSGs
Network Watcher
IP flow verify
• Is an IP packet allowed or denied to or from an Azure VM?

NSG diagnostic
• Which NSG(s) does my Azure VM traverse as it makes an inbound or
outbound connection?
Effective security rules
• Precisely which NSGs affect my Azure VM, and what is the effective
access?
NSG flow logs
• How can I visualize and analyze ingress and egress through an NSG?

Traffic Analytics
• How can I gain insights from my flow logs in a visual way?
NSG Flow Logs

Collected every minute

Protocol

Direction

Decision

State
Log Analytics
Traffic Analytics
Visualizations

Log search

timw.info/ige
Demo

Network Watcher tools


NSGs are convenient, but they can be
Summary cumbersome to troubleshoot as NSGs and
security rules multiply
You can consolidate NSG security rules
with Azure Firewall network rules
“What other OSI Layer 7 protection
products are available in Azure besides
Azure Firewall?”
Up Next:
Implement a Web Application Firewall Deployment

You might also like