SlideShare une entreprise Scribd logo

Azure Network Security Groups (NSG)

Télécharger en tant que PPTX, PDF
Shawn Ismail
Shawn Ismail

By default Azure does not provide any network traffic isolation between the subnets in VNETs. This creates a unique challenge for IT network and security professionals who have multiple subnets in Azure and would like to provide segmentation within the VNETS; an architecture that is common in on premise networks, for both physical and virtual infrastructures, for mitigating various security concerns. Azure NSGs (Network Security Groups) provides solutions for such virtual network segmentations without using any additional virtual appliances. You will learn : 1.Azure VM traffic isolation 2.Azure VNET traffic isolation 3.Azure network segmentation through traffic isolation 4.Isolated network security zones

Technologie
1  sur  22
SHAWN ISMAIL My twitter is @shawnismail, my blog is at http://cloudranger.net and I work at ARCHITECT | CONSULTANT | GENEROUS
WHAT WE WILL TALK ABOUT TODAY… 1.Overview of Azure security 2.Azure Network Security Groups (NSG) 3.Demo of NSGs in action
Cloud adaptability is strongly tied to Cloud Security IN CLOUD WHERE WE ARE TODAY? • IT is playing an increasingly important role in driving business strategy since the emergence of cloud • Still many CIOs hesitate to fully embrace cloud-first approach • Large-scale data breaches dominated headlines in 2014- 2015
Cloud adaptability is strongly tied to Cloud Security WHAT CUSTOMERS WANT FROM CLOUD PROVIDERS • Secure our data • Keep our data private • Give us control • Promote transparency • Maintain compliance MICROSOFTCLOUDINFRASTRUCTURE SUPPORTS1BILLIONCUSTOMERS, 140 COUNTRIES, 10LANGUAGESAND24 CURRENCIES
The logical isolations; Software Defined Networking (SDN) takes a lead AZURE NETWORK PROTECTION • Network Isolation • Virtual Networks • VPN and Express Route IFYOU’RERESISTING THECLOUD BECAUSEOFSECURITY CONCERNS, YOU’RERUNNING OUTOFEXCUSES
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 SUBSCRIPTION VNET SUBNET SUBNET VNET VNET
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Virtual Network (MyVNET2) WFE2 DC2 SQL2
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7
A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7 Virtual Network (MyVNET2) WFE2 DC2 SQL2 Address Space: 10.2.0.0/16 MySubnet2: 10.2.0.0/24 (10.2.0.0 - 10.2.0.255) 10.2.0.5 10.2.0.6 10.2.0.7
Multiple subnets in a VNet AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255)10.1.1.5 10.1.1.6 10.1.1.7 FS1 EX1 MySubnet2: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.2.5 10.1.2.6
Azure Network Security Groups WHAT ARE AZURE NSGS? NSGs are used to control inbound and outbound access to Subnets, VMs and network interfaces (NICs). NSGs are not Endpoint ACLs! Each NSG contains one or more rules Each rule determines if a traffic is Approved or Denied Approval and Denial in each rule is based on source IP address, source port, destination IP address, and destination port Rules have priorities There are some Default rules in each NSG when they are created
Azure Network Security Groups Construct NSG CONSTRUCT Every NSG has a: Name Location Resource Group Name Create NSG in PowerShell: New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
Azure Network Security Groups Rule Construct NSG RULE CONSTRUCT A rule specifies the following: Name: A unique identifier for the rule Direction: Inbound/Outbound Priority: Access: Allow/Deny Source IP Address: CIDR of source IP or IP range Source Port Range: Destination IP Range: CIDR of the destination IP or IP Range Destination Port Range: Protocol: TCP/UPP/Both Description: PowerShell: Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" - DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
Azure Network Security Groups Default Rules NSG DEFAULT RULES NSGs have default rules Default rules cannot be deleted Default rules have the lowest priority Can be easily overwritten by higher priority rules
Azure Network Security Groups Default Rules NSG DEFAULT RULES Notice the Default Tags
Where to apply an NSG is based on individual requirements WHERE CAN AN NSG BE APPLIED? Apply/Associate NSG to a Subnet Apply/Associate NSG to an individual VM Apply/Associate NSG to a NIC Your organization may create a best practice that works for you
OUR SCENARIO MyBESubnet: 1. Inbound- Allow all traffic from MyFESubnet to MyDC1 2. Inbound - Allow only traffic from MyFESubnet to MySQL1 on Port 1433 3. Outbound - Deny all traffic to INTERNET Virtual Network (MyVNET1) MyWFE1 MyDC1 MySQL1 Address Space: 10.1.0.0/16 MyFESubnet: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.1.4 MyBESubnet: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255) 10.1.2.4 10.1.1.5 MyFESubnet: 1. Inbound - Allow all traffic from MyBESubnet 2. Inbound - Only allow INTERNET traffic on port 80 to MyWFE1
Thank You! Organizers, SponsorsandYouformakingthispossible. MoreSlidesAt Slideshare.Net/shawnismail MoreFreeAzureVideosAt CloudRanger.net MoreProfessionalHelpAt 2toLead.com Message Me On LinkedIn or Email shawn@2toLead.com ARCHITECT | CONSULTANT | GENEROUS My twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
ARCHITECT | CONSULTANT | GENEROUS Appendix Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Create NSG New-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyBESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyDC1-MyFESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.4" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyFESubnet to MyDC1" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-MyFESubnet-P1433" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.5" -DestinationPortRange "1433" -Protocol "*" -Description "Allow traffic from MyFESubnet on port 1433 to MySQL1" # Deny Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyFESubnet-MyBESubnet" -Direction Inbound -Priority 2000 -Access Deny -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Deny all inbound traffic from MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET" -Direction Outbound -Priority 2001 -Access Deny -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "INTERNET" -DestinationPortRange "*" -Protocol "*" -Description "Deny all Outbound traffic to the Internet" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Remove-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET"
ARCHITECT | CONSULTANT | GENEROUS Appendix A Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Ceate NSG New-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" - SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" - DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
ARCHITECT | CONSULTANT | GENEROUS Appendix B Run to listen to a port on a server A: $Listener = [System.Net.Sockets.TcpListener]1433 $Listener.Start() $Listener.AcceptTcpClient() Run on Server B to connect client to server A: (new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)

Recommandé

Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
Pedro Sousa
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptx
Razith2
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking Basics
Sai Kishore Naidu
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private Links
Matthias Güntert
 
Azure virtual network
Azure virtual networkAzure virtual network
Azure virtual network
Lalit Rawat
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure Networking
Karim Vaes
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
Neeraj Kumar
 
Understanding Azure Networking Services
Understanding Azure Networking ServicesUnderstanding Azure Networking Services
Understanding Azure Networking Services
InCycleSoftware
 

Recommandé

Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
Pedro Sousa
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptx
Razith2
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking Basics
Sai Kishore Naidu
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private Links
Matthias Güntert
 
Azure virtual network
Azure virtual networkAzure virtual network
Azure virtual network
Lalit Rawat
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure Networking
Karim Vaes
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
Neeraj Kumar
 
Understanding Azure Networking Services
Understanding Azure Networking ServicesUnderstanding Azure Networking Services
Understanding Azure Networking Services
InCycleSoftware
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
Novosco
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloud
Atanas Gergiminov
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
thisiswali
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
Clint Edmonson
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
Robert Crane
 
Azure SQL Database
Azure SQL Database Azure SQL Database
Azure SQL Database
nj-azure
 
Microsoft Azure Overview Class 1
Microsoft Azure Overview Class 1Microsoft Azure Overview Class 1
Microsoft Azure Overview Class 1
MH Muhammad Ali
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Web Services
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and container
AzureEzy1
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
WinWire Technologies Inc
 
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
Tejoy Vachhrajani
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express Route
Mustafa
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Kemp
 
Benefits Of Building Private Cloud
Benefits Of Building Private CloudBenefits Of Building Private Cloud
Benefits Of Building Private Cloud
dinobusalachi
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
Udaiappa Ramachandran
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
Shannon McFarland
 
5 cisco open_stack
5 cisco open_stack5 cisco open_stack
5 cisco open_stack
openstackindia
 

Contenu connexe

Tendances

Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Kemp
 

Tendances (20)

Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloud
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
 
Azure SQL Database
Azure SQL Database Azure SQL Database
Azure SQL Database
 
Microsoft Azure Overview Class 1
Microsoft Azure Overview Class 1Microsoft Azure Overview Class 1
Microsoft Azure Overview Class 1
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and container
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
 
Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
 
Azure 101
Azure 101Azure 101
Azure 101
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express Route
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
 
Benefits Of Building Private Cloud
Benefits Of Building Private CloudBenefits Of Building Private Cloud
Benefits Of Building Private Cloud
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
 

Similaire à Azure Network Security Groups (NSG)

Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
phosika sithisane
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
Dzmitry Durasau
 

Similaire à Azure Network Security Groups (NSG) (20)

Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
5 cisco open_stack
5 cisco open_stack5 cisco open_stack
5 cisco open_stack
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
TechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectTechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnect
 
Self service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsxSelf service it with v realizeautomation and nsx
Self service it with v realizeautomation and nsx
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
Secure SDN
Secure SDNSecure SDN
Secure SDN
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routersConfiguring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesAzure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet Topologies
 
Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018Bangalore OpenMSA DevDay - September 19, 2018
Bangalore OpenMSA DevDay - September 19, 2018
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud Architecture
 
Introduction to CloudStack Networking
Introduction to CloudStack NetworkingIntroduction to CloudStack Networking
Introduction to CloudStack Networking
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 

Plus de Shawn Ismail

Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
Shawn Ismail
 
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Shawn Ismail
 
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networkingExam 70-533 Module 2-Lesson 1 - Overview of Azure networking
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment modelsExam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShellExam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portalExam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
Exam 70-533 Module 1-Lesson 2 - Overview of AzureExam 70-533 Module 1-Lesson 2 - Overview of Azure
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
Shawn Ismail
 
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
Exam 70-533 Module 1-Lesson 1 - Cloud technology overviewExam 70-533 Module 1-Lesson 1 - Cloud technology overview
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
Shawn Ismail
 
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
Shawn Ismail
 
Session 44 - Azure SQL Database - Part 1 - Introduction
Session 44 - Azure SQL Database - Part 1 - IntroductionSession 44 - Azure SQL Database - Part 1 - Introduction
Session 44 - Azure SQL Database - Part 1 - Introduction
Shawn Ismail
 

Plus de Shawn Ismail (18)

Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
Lesson 2- Part 2 - Implementing and managing virtual networks with Azure Powe...
 
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
Exam 70-533 Module 2 -Lesson 2 (Part 1) Implementing and managing virtual net...
 
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networkingExam 70-533 Module 2-Lesson 1 - Overview of Azure networking
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
 
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment modelsExam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
Exam 70-533 Module 1-Lesson 6 - Overview of Azure deployment models
 
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
Exam 70-533 Module 1-Lesson 5 - Managing Azure with Azure CLI
 
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShellExam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
Exam 70-533 Module 1-Lesson 4 - Managing Azure with Windows PowerShell
 
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portalExam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
Exam 70-533 Module 1-Lesson 3 - Managing Azure with the Azure portal
 
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
Exam 70-533 Module 1-Lesson 2 - Overview of AzureExam 70-533 Module 1-Lesson 2 - Overview of Azure
Exam 70-533 Module 1-Lesson 2 - Overview of Azure
 
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
Exam 70-533 Module 1-Lesson 1 - Cloud technology overviewExam 70-533 Module 1-Lesson 1 - Cloud technology overview
Exam 70-533 Module 1-Lesson 1 - Cloud technology overview
 
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
Exam 70-533 Module 0-Lesson 2 - Overview of Exam 70-533
 
Exam 70-533 Module 0-Lesson 1 - About this course
Exam 70-533 Module 0-Lesson 1 - About this courseExam 70-533 Module 0-Lesson 1 - About this course
Exam 70-533 Module 0-Lesson 1 - About this course
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
Session 44 - Azure SQL Database - Part 1 - Introduction
Session 44 - Azure SQL Database - Part 1 - IntroductionSession 44 - Azure SQL Database - Part 1 - Introduction
Session 44 - Azure SQL Database - Part 1 - Introduction
 
Session 39 azure storage - part 2 - blob storage and security
Session 39 azure storage - part 2 - blob storage and securitySession 39 azure storage - part 2 - blob storage and security
Session 39 azure storage - part 2 - blob storage and security
 
Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...
Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...
Microsoft Azure Training - [13] Azure Virtual Networks-Part 7-VNet-to-VNet Co...
 
Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...
Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...
Microsoft Azure Training - [11]Azure Virtual Networks -Part 5 -Cross-premises...
 
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
Microsoft Azure Training - [3] Azure Accounts, Subscriptions and Admin Roles ...
 
Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)
Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)
Microsoft Azure Training - [2] Introduction to the Cloud (Exam 70-533)
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Azure Network Security Groups (NSG)

  • 1.
  • 2. SHAWN ISMAIL My twitter is @shawnismail, my blog is at http://cloudranger.net and I work at ARCHITECT | CONSULTANT | GENEROUS
  • 3. WHAT WE WILL TALK ABOUT TODAY… 1.Overview of Azure security 2.Azure Network Security Groups (NSG) 3.Demo of NSGs in action
  • 4. Cloud adaptability is strongly tied to Cloud Security IN CLOUD WHERE WE ARE TODAY? • IT is playing an increasingly important role in driving business strategy since the emergence of cloud • Still many CIOs hesitate to fully embrace cloud-first approach • Large-scale data breaches dominated headlines in 2014- 2015
  • 5. Cloud adaptability is strongly tied to Cloud Security WHAT CUSTOMERS WANT FROM CLOUD PROVIDERS • Secure our data • Keep our data private • Give us control • Promote transparency • Maintain compliance MICROSOFTCLOUDINFRASTRUCTURE SUPPORTS1BILLIONCUSTOMERS, 140 COUNTRIES, 10LANGUAGESAND24 CURRENCIES
  • 6. The logical isolations; Software Defined Networking (SDN) takes a lead AZURE NETWORK PROTECTION • Network Isolation • Virtual Networks • VPN and Express Route IFYOU’RERESISTING THECLOUD BECAUSEOFSECURITY CONCERNS, YOU’RERUNNING OUTOFEXCUSES
  • 7. A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 SUBSCRIPTION VNET SUBNET SUBNET VNET VNET
  • 8. A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Virtual Network (MyVNET2) WFE2 DC2 SQL2
  • 9. A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7
  • 10. A representation of your own network in the cloud AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.0.0/24 (10.1.0.0 - 10.1.0.255) 10.1.0.5 10.1.0.6 10.1.0.7 Virtual Network (MyVNET2) WFE2 DC2 SQL2 Address Space: 10.2.0.0/16 MySubnet2: 10.2.0.0/24 (10.2.0.0 - 10.2.0.255) 10.2.0.5 10.2.0.6 10.2.0.7
  • 11. Multiple subnets in a VNet AZURE VIRTUAL NETWORKS (VNET) Virtual Network (MyVNET1) WFE1 DC1 SQL1 Address Space: 10.1.0.0/16 MySubnet1: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255)10.1.1.5 10.1.1.6 10.1.1.7 FS1 EX1 MySubnet2: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.2.5 10.1.2.6
  • 12. Azure Network Security Groups WHAT ARE AZURE NSGS? NSGs are used to control inbound and outbound access to Subnets, VMs and network interfaces (NICs). NSGs are not Endpoint ACLs! Each NSG contains one or more rules Each rule determines if a traffic is Approved or Denied Approval and Denial in each rule is based on source IP address, source port, destination IP address, and destination port Rules have priorities There are some Default rules in each NSG when they are created
  • 13. Azure Network Security Groups Construct NSG CONSTRUCT Every NSG has a: Name Location Resource Group Name Create NSG in PowerShell: New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
  • 14. Azure Network Security Groups Rule Construct NSG RULE CONSTRUCT A rule specifies the following: Name: A unique identifier for the rule Direction: Inbound/Outbound Priority: Access: Allow/Deny Source IP Address: CIDR of source IP or IP range Source Port Range: Destination IP Range: CIDR of the destination IP or IP Range Destination Port Range: Protocol: TCP/UPP/Both Description: PowerShell: Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" - DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
  • 15. Azure Network Security Groups Default Rules NSG DEFAULT RULES NSGs have default rules Default rules cannot be deleted Default rules have the lowest priority Can be easily overwritten by higher priority rules
  • 16. Azure Network Security Groups Default Rules NSG DEFAULT RULES Notice the Default Tags
  • 17. Where to apply an NSG is based on individual requirements WHERE CAN AN NSG BE APPLIED? Apply/Associate NSG to a Subnet Apply/Associate NSG to an individual VM Apply/Associate NSG to a NIC Your organization may create a best practice that works for you
  • 18. OUR SCENARIO MyBESubnet: 1. Inbound- Allow all traffic from MyFESubnet to MyDC1 2. Inbound - Allow only traffic from MyFESubnet to MySQL1 on Port 1433 3. Outbound - Deny all traffic to INTERNET Virtual Network (MyVNET1) MyWFE1 MyDC1 MySQL1 Address Space: 10.1.0.0/16 MyFESubnet: 10.1.2.0/24 (10.1.2.0 - 10.1.2.255) 10.1.1.4 MyBESubnet: 10.1.1.0/24 (10.1.1.0 - 10.1.1.255) 10.1.2.4 10.1.1.5 MyFESubnet: 1. Inbound - Allow all traffic from MyBESubnet 2. Inbound - Only allow INTERNET traffic on port 80 to MyWFE1
  • 19. Thank You! Organizers, SponsorsandYouformakingthispossible. MoreSlidesAt Slideshare.Net/shawnismail MoreFreeAzureVideosAt CloudRanger.net MoreProfessionalHelpAt 2toLead.com Message Me On LinkedIn or Email shawn@2toLead.com ARCHITECT | CONSULTANT | GENEROUS My twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
  • 20. ARCHITECT | CONSULTANT | GENEROUS Appendix Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Create NSG New-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyBESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyDC1-MyFESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.4" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyFESubnet to MyDC1" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-MyFESubnet-P1433" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.5" -DestinationPortRange "1433" -Protocol "*" -Description "Allow traffic from MyFESubnet on port 1433 to MySQL1" # Deny Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyFESubnet-MyBESubnet" -Direction Inbound -Priority 2000 -Access Deny -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Deny all inbound traffic from MyBESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET" -Direction Outbound -Priority 2001 -Access Deny -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "INTERNET" -DestinationPortRange "*" -Protocol "*" -Description "Deny all Outbound traffic to the Internet" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Remove-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET"
  • 21. ARCHITECT | CONSULTANT | GENEROUS Appendix A Add-AzureAccount Get-AzureSubscription Switch-AzureMode AzureResourceManager # Ceate NSG New-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2" # Allow Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" - SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet" Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" - DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1" # Attach all created rules to Network Security Group Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup # Remove # Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
  • 22. ARCHITECT | CONSULTANT | GENEROUS Appendix B Run to listen to a port on a server A: $Listener = [System.Net.Sockets.TcpListener]1433 $Listener.Start() $Listener.AcceptTcpClient() Run on Server B to connect client to server A: (new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)