Network Security Groups and Virtual

Appliances

John Savill
TECHNICAL ARCHITECT

@ntfaqguy www.savilltech.com
 Module
Overview
Controlling traffic flow
Using network security groups
Using network appliances
 Traffic Flow in a Virtual Network

By default for a VM in a virtual network it can communicate with

Every other VM in every subnet in the same virtual network

Anything on the Internet (outbound)

Anything connected via a VPN or ExpressRoute

 Traffic Flow in a Virtual Network

This may not always be desired

In a multi-tiered application may want only neighbor tiers to communicate

May want only certain VMs to talk to the Internet (DMZ)

May want to restrict types of traffic

 Network Security Groups

Enable rules to be When applied to a

created then Network security subnet it is still
assigned to a groups applied to enforced at the
network security subnets or VMs vmNIC, it is not an
group “Edge” device
 Rules are based on 5-tuple and have a
priority and action (allow or deny)
- Source IP address (can be a range using
CIDR format)
NSG Rules - Source port
- Destination IP address (can be a range
using CIDR format)
- Destination port
- Protocol (TCP, UDP, or *)
 CIDR used to define source/destination
Three special identifiers
- VIRTUAL_NETWORK: identifies traffic
NSG Rules within the virtual network address space
- AZURE_LOADBALANCER: the Azure
infrastructure load balancer
- INTERNET: IP address space external to
the virtual network
 Network Security Groups Example

Internet

Azure Virtual Network

Allow Allow
Frontend Midtier Backend
Subnet Subnet Subnet

NSG NSG NSG

Deny
 Network Security Group Example

 Rules are combined in a network security group

 Based on the priority flexible configurations are possible

 Lower priority number means high priority

Description Priority Source Address Source Destination Address Destionation Action
Port Port
Inbound 443 1005 * * * 443 Allow

ILB 1010 AZURE_LOADBALANCER * * 10000 Allow

Within Subnet 1015 <CIDR of subnet> * <CIDR of subnet> * Allow

(repeated for each)
Inbound RDP 2005 VIRTUAL_NETWORK * * 3389 Allow

Deny all Vnet traffic 3005 VIRTUAL_NETWORK * VIRTUAL_NETWORK * Deny

Deny all inbound 4000 * * * * Deny

Demo Creating NSGs
Applying NSGs with portal and
PowerShell
Default NSG when creating a VM with
Public IP
Do not be overly restrictive
with NSGs!
 Multi-NIC VMs

Depending on the NICs must be added

By default a VM has size of the VM
multiple NICs may at time of
a single vmNIC
be allowed provisioning

Cannot mix single vmNICs can be in This is really

NIC and multi NIC
VMs in same the same or designed for virtual
availability set different subnet appliances
Customized Routing in a Virtual Network
User Defined Routes (UDR)
Enables modification of the default routing of packets
Example: adding a firewall/IDS appliance that all traffic should flow through
 A virtual appliance could be added with
multiple vmNICs with a NIC in each subnet
and that IP is the default route for each
subnet instead of the Azure default
Customized
A route is created for an address prefix and
Routing in a next hop IP, added to a route table then
Virtual Network applied to a subnet
Also possible to just define next hop that
points to a VM and Azure will handle the
routing
 Virtual Appliances

Available in the Azure Marketplace

Licensing can be based on:
Bring your own license
Hourly billing

Essentially a VM with pre-configured software and

configuration to perform a certain set of functionality
Summary
Controlling traffic flow
Using network security groups
Using network appliances
 Next Up:
Enabling External Access
with Load Balancers and
Public IPs