DEV Community

Cover image for Create and Configure network security groups.
EMMANUEL
EMMANUEL

Posted on

Create and Configure network security groups.

#webdev #programming #cloud #microsoft

A network security group (NSG) is a virtual firewall that controls network traffic to and from resources within a cloud environment, such as a virtual network. It uses a set of access control rules to allow or deny network traffic based on criteria like source/destination IP address, port, and protocol.

NSGs are a fundamental part of cloud security and can be applied to either entire network subnets or individual virtual machine network interfaces. By applying them at the subnet level, all resources within that subnet are protected, offering a simple way to manage access for groups of resources.

Diagram description of NSG

How network security groups work

NSGs operate based on a set of security rules that define what traffic is permitted. These rules are processed in order of priority, with the lowest number having the highest priority. Once a rule matches a traffic packet, processing stops.

A rule contains the following elements:

  • Direction: Whether the rule applies to inbound (incoming) or outbound (outgoing) traffic.
  • Source/Destination: Can be a specific IP address, an IP address range (using CIDR notation), or a Service Tag that represents a group of IP prefixes for an Azure service.
  • Port range: A specific port (e.g., 80) or a range of ports (e.g., 1000-2000).
  • Protocol: Specifies the protocol to match, such as TCP, UDP, or ICMP.
  • Action: What to do with the traffic if it matches the rule, either "Allow" or "Deny".

Key NSG concepts

  • Default rules: NSGs come with a set of default rules that cannot be removed but can be overridden by user-created rules with higher priority.
  • Stateful filtering: NSGs are "stateful," meaning that if an outbound connection is allowed, the firewall automatically permits the return inbound traffic for that connection. You do not need a separate inbound rule for it.
  • Application security groups (ASGs): A related feature that allows you to group virtual machines by application or role, rather than by IP address. You can then use the ASG in your NSG rules, which simplifies management and helps ensure consistent security policies.
  • Flow logs: A feature that logs information about IP traffic passing through an NSG, including source/destination details and whether traffic was allowed or denied. This data is useful for monitoring and troubleshooting network traffic.

In this article, we are going to create and configure a network security group based on a scenario of an organization that requires the network traffic in the app-vnet to be tightly controlled. To do that we have to meet this requirements.

  • The frontend subnet has web servers that can be accessed from the internet. An application security group (ASG) is required for those servers. The ASG should be associated with any virtual machine interface that is part of the group. This will allow the web servers to be easily managed.
  • The backend subnet has database servers used by the frontend web servers. A network security group (NSG) is required to control this traffic. The NSG should be associated with any virtual machine interface that will be accessed by the web servers.

  • For testing, a virtual machine should be installed in the frontend subnet (VM1) and the backend subnet (VM2).Then complete the following task:

  • Create a network security group.

  • Create network security group rules.

  • Associate a network security group to a subnet.

  • Create and use application security groups in network security group rules.

Architecture diagram

Create VM1 with Ubuntu server, and associate frontend as the subnet and app-vnet as the virtual network.

1.In your Azure portal, in the search resource, search for virtual machine and select the grayed virtual machine.

Virtual machine search portal

2.Select +Create and select Virtual machine.

+Create

3.Under Basics, fill the project detail by choosing your Resource group, Virtual machine name, Region,Availability option, Availability zone, Image, Size.

Project details

Contd project details

4.Under Administrator account, choose password then fill in the Username and Password.

Administrator account

5.On the Inbound port rules, select None

Inbound port rules

6.On Networking, choose your virtual network app-vnet and your frontend subnet. And leave the rest as default

Networking

7.Select Review + Create

Review + Create

8.After Validation, select Create and wait for deployment.

Create

Create another virtual machine VM2 with Ubuntu server, and associate backend as the subnet and app-vnet as the virtual network.

1.In your Azure portal, search for virtual machine and select.

Virtual machine

2.Select +Create

+ Create

3.Under Basics, fill the project detail by choosing your Resource group, Virtual machine name, Region,Availability option, Availability zone, Image, Size.

Project details

Cont. Project details

4.Under Administrator account, choose password then fill in the Username and Password.

Administrator account

5.On the Inbound port rules, select None

Inbound port rules

6.On Networking, choose your virtual network app-vnet and your backend subnet. Leave the rest as default.

Networking

7.Select Review + Create

Review + Create

8.After Validation, select Create and wait for deployment.

Create

Verify both vm1 and vm2 are Running. Then create an Application security group.Application security groups (ASGs) let you group together servers with similar functions. For example, all the web servers hosting your application.

Create Application Security Group

1.In the portal, search for and select Application security groups

Application security group

2.Select + Create

+ Create

3.Configure the application security group.

  • Subscription Subscription 1
  • Resource group RG1
  • Name app-frontend-asg
  • Region East US

ASGs

4.Select Review + create

Review + Create

5.Select Create

Create

Note: You are creating the application security group in the same region as the existing virtual network.

Associate the application security group to the network interface of the VM

1.In the Azure portal, search for and select VM1

VM1

2.In the Networking blade, select Application security groups and then select Add application security groups

Add application security group

3.Select the app-frontend-asg and then select Add.

Add app-frontend-asg

app-frontend-asg

Create and Associate the Network Security Group

Network security groups (NSGs) secure network traffic in a virtual network.

1.In the portal search for and select Network security group.

Network security group

2.Select + Create

+Create

3.Configure the network security group

  • Subscription Subscription 1
  • Resource group RG1
  • Name app-vnet-nsg
  • Region East US

Configure NSG

4.Select Review + create

Review + Create

5.Select Create after the validation is passed.Then wait for deployment to complete.

Create

Associate the NSG with the app-vnet backend subnet.

NSGs can be associated with subnets and/or individual network interfaces attached to Azure virtual machines.

1.Select Go to resource or navigate to the app-vnet-nsg resource. In the Settings blade select Subnets.

app-vnet-nsg

2.Select + Associate.

+ Associate

3.Select app-vnet (RG1) and then the Backend subnet. Select OK

Associate app-vnet/backend

Associated app-vnet nsg with backends

Create Network Security Group rules

An NSG use security rules to filter inbound and outbound network traffic.

1.In the search box at the top of the portal, enter Network security groups. Select Network security groups in the search results.

Network security group

2.Select app-vnet-nsg from the list of network security groups.

App-vnet-nsg

3.In the Settings blade, select Inbound security rules

Inbound security rules

4.Select + Add

+Add

5.Configure an inbound security rule and Add

Configure inbound security rule

Cont. configure inbound security rule

Top comments (0)