As you might know Microsoft announced Network Security Groups for Azure at TechEd Europe. This feature allows us to create multi-tier environments with frontend servers isolated from our backend. Until now the solutions for those kinds of environments haven’t been pretty, so this is a huge improvement.
How does this work? It’s quite simple actually. NSG’s consists of Access Conrol Rules, and you can assign a NSG to either single VM’s or whole subnets – . These rules are applied on the VM level, meaning outbound traffic will have rules applied when traffic leaves the VM, and rules for incoming traffic are applied before traffic enters the VM. It’s actually comparable to Hyper-V port ACL’s.
Currently the limits for NSG’s are 100 NSG’s per subscription, and 200 rules per NSG. If you need more than this you can contact Microsoft support to increase the numbers. Another limit is that only a single NSG can be attached to a given VM or subnet, so make sure you consider your rules before starting.
Let’s take a look at configuring this – which by the way is all done via PowerShell. In this scenario I have a frontend VM running a website, and I want to limit outbound traffic from the VM to port 1443 (SQL) on my backend subnet. First I’ll have to create a NSG:
New-AzureNetworkSecurityGroup -Name "App1_NSG" -Location "North Europe" -Label "Network Security Group for App1"
After this we’ll have to add a rule to the NSG, which will contain the following information:
- NSG name: App1_NSG
- Rule name: SQL
- Type: Outbound
- Priority: 100
- Action: Allow
- SourceAddressPrefix: 192.168.11.0/25
- SourcePortRange: *
- DestinationAddressPrefix: 192.168.12.0/25
- DestinationPortRange : 1443
- Protocol: TCP
Get-AzureNetworkSecurityGroup -Name "App1_NSG" | Set-AzureNetworkSecurityRule -Name SQL -Type Outbound -Priority 100 -Action Allow -SourceAddressPrefix ‘192.168.11.0/25’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘192.168.12.0/25’ -DestinationPortRange ‘1443’ -Protocol TCP
This rule will limit outbound traffic from the VM to my backend subnet, to port 1443.
Next up we’ll have to associate the NSG to our VM:
Get-AzureVM -ServiceName "App1_FrontEnd" -Name "App1" | Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "App1_NSG" | Update-AzureVM
If we wanted to apply the NSG to a subnet we could use:
Get-AzureNetworkSecurityGroup -Name "App1_NSG" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName "VNetName" -SubnetName "SubnetName"
It’s important to note that there a some default rules attached to a NSG:
So if I were to apply the NSG we just created, I wouldn’t be able to access my website from the internet, since the default rule DENY ALL INBOUND will block the traffic. In this case the website is listening on port 443 (HTTPS) so in order to allow traffic to it, I would need to add the following rule:
Get-AzureNetworkSecurityGroup -Name "App1_NSG" | Set-AzureNetworkSecurityRule -Name HTTPS-Type Inbound -Priority 100 -Action Allow -SourceAddressPrefix ‘INTERNET’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘443’ -Protocol TCP
Now, the only traffic going in to this VM is on port 443, and the only outgoing is on port 1443 which is also restricted to my backend subnet. It might be a lot of work upfront, but when you have your standard rules defined it’ll be a lot easier to manage.
Some other useful cmdlets for managing this:
#NSG info, including all rules
Get-AzureNetworkSecurityGroup -Name "App1_NSG" -Detailed
Get-AzureNetworkSecurityGroup -Name "App1_NSG" | Remove-AzureNetworkSecurityRule -Name SQL
#Remove NSG from subnet
Get-AzureNetworkSecurityGroup -Name "App1_NSG" | Remove-AzureNetworkSecurityGroupFromSubnet -VirtualNetworkName "VNetName" -SubnetName "SubnetName"
Check out this article for more information: http://msdn.microsoft.com/en-us/library/azure/dn848316.aspx