DEV Community

Hyacienth Ugochukwu
Hyacienth Ugochukwu

Posted on

How To Control The Network Traffic To And From The Web Application

This is a continuation of my previous post.

Here, we will be talking about;

  • Creating an NSG
  • Creating NSG rules
  • Associating an NSG to a subnet
  • Creating and using Application Security Groups in NSG rules.

What is NSG: In Azure, a Network Security Group (NSG) is a tool that controls network traffic in a virtual network (VNet) using rules to allow or deny access. NSGs are a key component of Azure's security fabric. 
Also, in Azure, a network security group (NSG) rule is a security rule that controls network traffic to and from Azure resources. NSG rules can allow or deny traffic based on conditions such as: 

  • Source and destination: The IP addresses of the source and destination 
  • Ports: The ports or range of ports that initiate network traffic 
  • Protocols: The protocol used for the network traffic 

Here are some other things to know about NSG rules: 

  • Priority: Each rule in an NSG collection must have a unique priority number between 100 and 4096. The lower the number, the higher the priority. 
  • Direction: Rules can be set to apply to either inbound or outbound traffic. 
  • Action: Rules can be set to "Allow" or "Deny". 
  • Logging: Logging can be enabled for an NSG to collect information about which rules are applied to virtual machines, and how often each rule is applied. 
  • Default rules: NSGs contain default rules that can't be deleted, but can be replaced by user-created rules. 

First, we will create an Application Security Group
An application security group (ASG) enables you to group servers with similar functions, such as web servers.

  1. In the search box at the portal's top, enter Application security group. Select Application security groups in the search results.
  2. Select + Create.

On the Basics tab of Create an Application Security Group, enter the information listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Name app-backend-asg
Region East US

  1. Select Review + Create and then select Create.

Note: You are creating the application security group in the same region as the existing virtual network.

Then you Create and Associate the Network Security Group
A network security group (NSG) secures network traffic in your virtual network. NSGs contain a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated with subnets and/or individual network interfaces attached to Azure Virtual Machines (VM).

  1. In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
  2. Select + Create.

On the Basics tab of Create Network Security Group, enter the information as listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Name app-vnet-nsg
Region East US

  1. Select Review + Create and then select Create.

In this section, you associate the network security group with the subnet of the virtual network you created earlier.

  1. In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
  2. Select app-vnet-nsg from the list of network security groups.
  3. Select Subnets from the Settings section of app-vnet-nsg.
  4. In the Subnets page, select + Associate
  5. Under Associate subnet, select app-vnet (RG1) for Virtual network. and select Backend for Subnet, and then select OK.

Time to Create Network Security Group Rules
A network security group (NSG) secures network traffic in your virtual network.

  1. In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
  2. Select app-vnet-nsg from the list of network security groups.
  3. Select Inbound security rules from the Settings section of app-vnet-nsg.
  4. Select + Add.
  5. On the Add inbound security rule page, enter the information as listed below:

Property Value
Source Any
Source port ranges *****
Destination Application Security group
Destination application security group app-backend-asg
Service SSH
Action Allow
Priority 100
Name AllowSSH

Next is to deploy an ARM template using Cloud Shell to create the VMs needed for this exercise

  1. In the Azure portal, open the Azure Cloud Shell by selecting the icon in the top right of the Azure Portal.
  2. If prompted to select either Bash or PowerShell, select PowerShell.

Note: If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and select Create storage.

  1. Deploy the following ARM template using Cloud Shell to create the VMs needed for this exercise:

Code

$RGName = "RG1"

   New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json

Enter fullscreen mode Exit fullscreen mode
  1. To verify that both the VM1 and VM2 virtual machines are running, navigate to the RG1 resource group and select VM1.
  2. Validate that the status of the virtual machine is Running.
  3. Repeat the previous step for VM2.

Finally, Associate the application security group to the network interface of the VM
When you created the VMs, Azure created a network interface for each VM and attached it to the VM.

Add the application security group you created previously to the network interface of VM2.

  1. In the Azure portal, navigate to the RG1 resource group and select VM2.
  2. Navigate to the networking tab of the VM, and select + Add application security groups from the Application security groups section.
  3. Select app-backend-asg from the list of application security groups.
  4. Select Add

Top comments (0)