Scenario
In this exercise, I had to ensure that the network traffic within the app-vnet was securely controlled. The task required configuring network security policies and using application security groups (ASGs) and network security groups (NSGs) to secure both the frontend and backend subnets. Below are the key requirements I worked on:
- Frontend Subnet: This subnet hosted the web servers, and it required an Application Security Group (ASG) to manage access.
- Backend Subnet: This subnet hosted the database servers and required an NSG to control traffic coming from the frontend.
- Virtual Machines: VM1 was deployed in the frontend subnet, and VM2 in the backend subnet. I had to configure the necessary network security to ensure both VMs were properly secured.
Skilling Tasks
- ✅ Create a network security group
- ✅ Create network security group rules
- ✅ Associate a network security group to a subnet
- ✅ Create and use application security groups in network security group rules
Exercise Instructions
Step 1: Create the Network Infrastructure for the Exercise
Since this exercise required virtual networks and subnets, I followed the instructions from Lab 01 to deploy those resources using an Azure Resource Manager (ARM) template. Here's what I did:
1️⃣ Sign in to the Azure Portal: I accessed the Azure Portal and searched for Virtual Machines.
2️⃣ Deploy Virtual Machines using ARM Template:
- I used a custom deployment to upload the template and parameters files from a GitHub repository.
- I ran the PowerShell script to deploy the virtual machines in the app-vnet and hub-vnet. These machines (VM1 and VM2) were created to test network security and connectivity.
3️⃣ Verify the Virtual Machines: I made sure both VM1 and VM2 were running by checking the Virtual Machines section of the portal.
Step 2: Create the Application Security Group (ASG)
Next, I created an Application Security Group (ASG) to easily manage the web servers in the frontend subnet. Here’s the process:
1️⃣ Create the Application Security Group:
- In the Azure portal, I searched for Application Security Groups.
- I clicked + Create and provided the following information for the ASG:
| Property | Value |
|---|---|
| Subscription | Select your subscription |
| Resource Group | RG1 |
| Name | app-frontend-asg |
| Region | East US |
I clicked Review + Create and then Create to deploy the ASG.
2️⃣ Associate the ASG to VM1:
- I selected VM1 in the Azure portal and navigated to the Networking blade.
- I selected Application Security Groups and clicked Add Application Security Group.
- I chose the app-frontend-asg and clicked Add.
Step 3: Create and Associate the Network Security Group (NSG)
To manage network security for the backend subnet, I created a Network Security Group (NSG) and associated it with the appropriate subnet. Here's how:
1️⃣ Create the NSG:
- In the Azure portal, I searched for Network Security Groups and clicked + Create.
- I provided the following details for the app-vnet-nsg:
| Property | Value |
|---|---|
| Subscription | Select your subscription |
| Resource Group | RG1 |
| Name | app-vnet-nsg |
| Region | East US |
I clicked Review + Create and then Create to deploy the NSG.
2️⃣ Associate NSG with Backend Subnet:
- After creating the NSG, I navigated to the app-vnet-nsg resource.
- In the Settings blade, I selected Subnets and clicked + Associate.
- I selected the app-vnet and Backend Subnet, then clicked OK.
Step 4: Create Network Security Group Rules
Next, I created an inbound rule to allow SSH traffic from the frontend (web server) to the backend (database server). Here’s how I did it:
1️⃣ Add Inbound Security Rule:
- In the app-vnet-nsg settings, I selected Inbound security rules and clicked + Add to create a new rule.
- I filled out the details as follows:
| Property | Value |
|---|---|
| Source | Any |
| Source port ranges | * |
| Destination | Application Security Group |
| Destination ASG | app-frontend-asg |
| Service | SSH |
| Action | Allow |
| Priority | 100 |
| Name | AllowSSH |
I clicked Add to create the rule.
Key Learnings
Here are the key takeaways from this exercise:
1️⃣ Application Security Groups (ASGs)
ASGs let you group servers with similar functions, making it easier to define and manage security rules. In this exercise, I used an ASG to group the frontend web servers and control access via network security rules.
2️⃣ Network Security Groups (NSGs)
NSGs help filter network traffic and provide access control for Azure resources. I created an NSG and applied it to the backend subnet to control traffic between the frontend and backend servers.
3️⃣ Security Rules
NSGs and ASGs both use rules to allow or deny traffic. In this case, I allowed SSH traffic from the frontend to the backend using a specific inbound rule.
4️⃣ Subnet Association
Both NSGs and ASGs can be associated with subnets or individual network interfaces attached to Azure virtual machines. This flexibility allows precise control over traffic flow.
Conclusion
In this exercise, I successfully created and configured Network Security Groups (NSGs) and Application Security Groups (ASGs) in Azure. I also associated NSGs with subnets to control traffic between my frontend and backend resources. By creating these security groups and configuring security rules, I enhanced the network security of my virtual network, ensuring that traffic is properly filtered and controlled.
🔐 Stay tuned for more as I continue exploring Azure's networking and security features!
Top comments (0)