By default Azure does not provide any network traffic isolation between the subnets in VNETs. This creates a unique challenge for IT network and security professionals who have multiple subnets in Azure and would like to provide segmentation within the VNETS; an architecture that is common in on premise networks, for both physical and virtual infrastructures, for mitigating various security concerns. Azure NSGs (Network Security Groups) provides solutions for such virtual network segmentations without using any additional virtual appliances.
You will learn :
1.Azure VM traffic isolation
2.Azure VNET traffic isolation
3.Azure network segmentation through traffic isolation
4.Isolated network security zones
Automating Google Workspace (GWS) & more with Apps Script
Azure Network Security Groups (NSG)
1.
2. SHAWN
ISMAIL
My twitter is @shawnismail, my blog is at http://cloudranger.net and I work at
ARCHITECT | CONSULTANT | GENEROUS
3. WHAT WE WILL TALK ABOUT TODAY…
1.Overview of Azure security
2.Azure Network Security Groups (NSG)
3.Demo of NSGs in action
4. Cloud adaptability is strongly tied to Cloud Security
IN CLOUD WHERE WE ARE
TODAY?
• IT is playing an increasingly important role in driving
business strategy since the emergence of cloud
• Still many CIOs hesitate to fully embrace cloud-first
approach
• Large-scale data breaches dominated headlines in 2014-
2015
5. Cloud adaptability is strongly tied to Cloud Security
WHAT CUSTOMERS WANT
FROM CLOUD PROVIDERS
• Secure our data
• Keep our data private
• Give us control
• Promote transparency
• Maintain compliance
MICROSOFTCLOUDINFRASTRUCTURE
SUPPORTS1BILLIONCUSTOMERS, 140
COUNTRIES, 10LANGUAGESAND24
CURRENCIES
6. The logical isolations; Software Defined Networking (SDN) takes a lead
AZURE NETWORK
PROTECTION
• Network Isolation
• Virtual Networks
• VPN and Express Route
IFYOU’RERESISTING THECLOUD
BECAUSEOFSECURITY CONCERNS,
YOU’RERUNNING OUTOFEXCUSES
7. A representation of your own network in the cloud
AZURE VIRTUAL
NETWORKS (VNET)
Virtual Network
(MyVNET1)
WFE1 DC1
SQL1
SUBSCRIPTION
VNET
SUBNET
SUBNET
VNET
VNET
8. A representation of your own network in the cloud
AZURE VIRTUAL
NETWORKS (VNET)
Virtual Network
(MyVNET1)
WFE1 DC1
SQL1
Virtual Network
(MyVNET2)
WFE2 DC2
SQL2
9. A representation of your own network in the cloud
AZURE VIRTUAL
NETWORKS (VNET)
Virtual Network
(MyVNET1)
WFE1 DC1
SQL1
Address Space: 10.1.0.0/16
MySubnet1: 10.1.0.0/24
(10.1.0.0 - 10.1.0.255)
10.1.0.5 10.1.0.6
10.1.0.7
10. A representation of your own network in the cloud
AZURE VIRTUAL
NETWORKS (VNET)
Virtual Network
(MyVNET1)
WFE1 DC1
SQL1
Address Space: 10.1.0.0/16
MySubnet1: 10.1.0.0/24
(10.1.0.0 - 10.1.0.255)
10.1.0.5 10.1.0.6
10.1.0.7
Virtual Network
(MyVNET2)
WFE2 DC2
SQL2
Address Space: 10.2.0.0/16
MySubnet2: 10.2.0.0/24
(10.2.0.0 - 10.2.0.255)
10.2.0.5 10.2.0.6
10.2.0.7
12. Azure Network Security Groups
WHAT ARE AZURE NSGS?
NSGs are used to control inbound and outbound access to Subnets, VMs and
network interfaces (NICs). NSGs are not Endpoint ACLs!
Each NSG contains one or more rules
Each rule determines if a traffic is Approved or Denied
Approval and Denial in each rule is based on source IP address, source port,
destination IP address, and destination port
Rules have priorities
There are some Default rules in each NSG when they are created
13. Azure Network Security Groups Construct
NSG CONSTRUCT
Every NSG has a:
Name
Location
Resource Group Name
Create NSG in PowerShell:
New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
14. Azure Network Security Groups Rule Construct
NSG RULE CONSTRUCT
A rule specifies the following:
Name: A unique identifier for the rule
Direction: Inbound/Outbound
Priority:
Access: Allow/Deny
Source IP Address: CIDR of source IP or IP range
Source Port Range:
Destination IP Range: CIDR of the destination IP or IP Range
Destination Port Range:
Protocol: TCP/UPP/Both
Description:
PowerShell:
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority
1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" -
DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
15. Azure Network Security Groups Default Rules
NSG DEFAULT RULES
NSGs have default rules
Default rules cannot be deleted
Default rules have the lowest priority
Can be easily overwritten by higher priority rules
17. Where to apply an NSG is based on individual requirements
WHERE CAN AN NSG BE APPLIED?
Apply/Associate NSG to a Subnet
Apply/Associate NSG to an individual VM
Apply/Associate NSG to a NIC
Your organization may create a best
practice that works for you
18. OUR SCENARIO
MyBESubnet:
1. Inbound- Allow all traffic from
MyFESubnet to MyDC1
2. Inbound - Allow only traffic from
MyFESubnet to MySQL1 on Port
1433
3. Outbound - Deny all traffic to
INTERNET
Virtual Network
(MyVNET1)
MyWFE1 MyDC1 MySQL1
Address Space: 10.1.0.0/16
MyFESubnet: 10.1.2.0/24
(10.1.2.0 - 10.1.2.255)
10.1.1.4
MyBESubnet: 10.1.1.0/24
(10.1.1.0 - 10.1.1.255)
10.1.2.4 10.1.1.5
MyFESubnet:
1. Inbound - Allow all traffic from
MyBESubnet
2. Inbound - Only allow INTERNET
traffic on port 80 to MyWFE1
19. Thank You!
Organizers, SponsorsandYouformakingthispossible.
MoreSlidesAt Slideshare.Net/shawnismail
MoreFreeAzureVideosAt CloudRanger.net
MoreProfessionalHelpAt 2toLead.com
Message Me On LinkedIn or Email shawn@2toLead.com
ARCHITECT | CONSULTANT | GENEROUS
My twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
21. ARCHITECT | CONSULTANT | GENEROUS
Appendix A
Add-AzureAccount
Get-AzureSubscription
Switch-AzureMode AzureResourceManager
# Ceate NSG
New-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2"
$nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
# Allow
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange
"*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" -
SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -
DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1"
# Attach all created rules to Network Security Group
Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup
# Remove
# Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
22. ARCHITECT | CONSULTANT | GENEROUS
Appendix B
Run to listen to a port on a server A:
$Listener = [System.Net.Sockets.TcpListener]1433
$Listener.Start()
$Listener.AcceptTcpClient()
Run on Server B to connect client to server A:
(new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)