When people first start using Azure, they normally do something silly, like accidentally exposing a virtual machine fully to the Internet. Then they find out about Network Security Groups (NSG’s), which act as a basic firewall to block ports, but NSG’s do so much more!An obvious use for NSG’s is to create a DMZ consisting of a subnet. This creates a subnet which contains all of your internet exposed virtual machines, and then blocks all unnecessary ports both to and from your internal network. While this is a wonderful use of an NSG, you do need to bear in mind that a NSG only checks the 5 tuple of source and destination IP addresses, source and destination ports, and the protocol used, so it isn’t a full-fledged firewall.
However, most people do not use them on their internal networks, where they truly belong.
Segregating devices on a network has long been a best practice, but simply placing VM’s on a different subnet or Vnet doesn’t really secure anything. To be truly secure, you need to use NSG’s to block any unwanted traffic between servers and users. After all, allowing any user to attempt an RDP request into a server isn’t very secure, although handy for technicians (Microsoft recommends the use of jump boxes for technicians to use). One handy feature of NSG’s is that you can apply the same one to multiple subnets, so once you have completed the hard work of figuring out which ports are needed, it is a simple matter to apply it to as many subnets as needed.
It is also important to remember that all virtual machines in Azure by default can access the Internet via Azure, and one of the only ways to prevent this is to implement an NSG denying Internet access at the subnet level.
Application Security Groups (ASG) can be used in NSG’s, which provides an easy way to group servers together. As a virtual machine can have 20 ASG’s assigned, it is easy to see how you can use them to make NSG rules a lot easier.
The NSG Flow Logs is a new feature that creates a log for each packet that travels through a NSG. The log entry consists of the 5 tuple of source and destination IP addresses, source and destination ports, and the protocol used, so you can go into a lot of detail. These logs are also saved to a normal storage account, which you can view using a workspace, or any tool that can read them. Having even a simple default NSG on every subnet will allow NSG flow logs to be saved, which you can then import into any capable SIEM system.
As you can see, NSG’s are a vital tool that every organization should utilize, which can give you a deep view into the traffic flowing in your network, and prevent any unwanted traffic to flow.
To learn more, view our courses on Azure Networking.
About The Author:
Jonathan started in the electronics field and moved into the IT field after relocating to the U.S., he has worked as an IT generalist for the past 20 years. Jonathan has earned several certifications including: CISSP, MCSA: Windows 2012 R2, MCSE: Cloud Platform and Infrastructure 2017, Microsoft Azure, and Cisco CCNA.
Currently, Jonathan works as a Windows Server and Azure Infrastructure Engineer for New Signature, a cloud-first, full-service Microsoft solution provider and Microsoft Gold Partner. He is also a Microsoft P-CSA (Cloud Solution Architect), which provides advanced notification and testing of new Azure changes. Jonathan uses his experience in Windows, security, databases, and other systems to help clients with their move to the cloud, and to help them understand the changes involved in this process.
Jonathan's past positions include working for the state of South Carolina Department of Social Services, in the Security Department, working as an IT manger for Southland Log Homes, and a Senior Windows Administrator for QualServ Corp.