This chapter focuses on securing access to virtual networks. You will learn how to create security rules and associate a Network Security Group (NSG) with a subnet or network interface. You will also learn how to effectively evaluate security rules and try a hands-on deployment on Azure Firewall and Azure Bastion. These are key skills to have as an Azure administrator and ensure you have good experience securing a network and deploying network security components.
In this chapter, we will cover the following main topics:
To follow along with the hands-on lessons, you will need access to the following:
When it comes to deploying resources on virtual networks within Azure, it is recommended to only allow the required traffic from a security point of view. One of the free solutions on the Azure platform to use for traffic filtering is called NSGs. NSG rules are evaluated by priority using the following five-tuple information:
Based on the preceding configuration, the NSG rule can be configured to either block or allow traffic.
Important Note
NSGs can be assigned on a subnet or at a network interface card level.
Let's look at how to create an NSG via the Azure portal and associate it with an existing subnet, using the following steps:
Now that we have successfully created our NSG, we are going to assign it to all resources on the subnet level for a specific virtual network (VNet). To do this, let's navigate to the newly created NSG overview page in Azure. This can be found under the All resources section.
In this demonstration, we covered what the purpose of NSGs is and how to create a new NSG via the Azure portal and assign it to an existing subnet.
In the next section, are going to have a look at how to configure NSG rules.
Now that we have associated the NSG with its default rules with a subnet, we need to create a new NSG rule that will deny Remote Desktop Protocol (RDP) traffic from the internet to the entire VNet. In order to do this, we need to do the following:
This concludes the demonstration of how to configure NSG rules. We also confirmed that our newly created rules are working as expected. We encourage students to further read up on NSGs by using the following links:
Next, we are going to look at how to evaluate effective NSG rules.
When you create an NSG, there are some default inbound and outbound security rules created for you automatically. The default rules are low-priority rules. You can also add custom rules to them. You can create inbound and outbound security rules. NSG rules follow priority, with the lowest rule number taking preference over the next rule.
The following is a screenshot of NSG inbound rules that show two RDP rules – one to allow RDP and one to deny RDP. The RDP rule with the lowest priority takes preference, meaning that the allow RDP rule will take effect before the deny RDP rule:
If there are too many NSG rules to manually review or multiple NSGs associated with a resource and you are unsure of which rules are taking preference, it is a good idea to use a built-in tool in Azure called Network Watcher to check the flow of traffic by using the IP flow verify blade of the tool. More information can be found here: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview.
In this section, we had a look at NSG rules to understand how rules take preference and which advanced troubleshooting tools we can use in Azure to verify the flow of traffic.
Let's have a look at Azure Firewall and the different SKUs available and what functionality they have.
When it comes to networking in Azure, NSGs are considered a basic-level firewall. However, sometimes a solution is required that has more granular control over traffic, or a smarter firewall is required; this is where Azure Firewall shines.
Azure Firewall has three main policies that can be configured:
The following diagram shows how rules in Azure Firewall are processed based on rule type:
It is important to understand rule processing within Azure Firewall, especially in troubleshooting scenarios.
Tip
Network rules are processed before application rules.
There are two SKUs for Azure Firewall:
The Azure Firewall Premium SKU offers the same features as the standard SKU and Premium features, such as TLS inspection and IDPS protection, to prevent the spread of malware and viruses across a network.
Note
Azure Firewall Manager can be used to centrally manage Azure firewalls across multiple subscriptions.
Traditionally, there were two main ways to connect to VMs in the cloud. The first was to assign a static public IP address and connect to them via the Remote Desktop Protocol (RDP) or secure shell (SSH), but this was later replaced by removing the public IP address and using a virtual private network (VPN) to securely connect to the server via the RDP or SSH. The Azure Bastion service enables you to connect to a VM by using your browser and the Azure portal instead of using technologies such as VPN. Bastion is a platform-as-a-service (PaaS) that you provision inside the VNet in Azure, which provides secure connectivity on management ports such as the RDP and SSH. Here are some key benefits of using Azure Bastion:
The following is a diagram that shows how Azure Bastion works:
Now that we have a better understanding of Azure Firewall and Azure Bastion, let's learn how to do the following via PowerShell:
To achieve the preceding objectives, follow these steps:
Connect-AzAccount
The screenshot shows the output of the command:
Select-AzSubscription -SubscriptionId "your-subscription-id"
New-AzResourceGroup -Name Test-FW-RG -Location "East US"
The screenshot shows the successful creation of the new RG:
$publicip = New-AzPublicIpAddress -ResourceGroupName Test-FW-RG -Location "East US" -Name Bastion-pip -AllocationMethod static -Sku standard
The public IP address for Bastion is shown in the following screenshot:
New-AzBastion -ResourceGroupName Test-FW-RG -Name Bastion-01 -PublicIpAddress $publicip -VirtualNetwork $testVnet
The following screenshot shows the newly created Bastion service:
#Create the NIC
$wsn = Get-AzVirtualNetworkSubnetConfig -Name VMSubnet -VirtualNetwork $testvnet
$NIC01 = New-AzNetworkInterface -Name VM01 -ResourceGroupName Test-FW-RG -Location "East us" -Subnet $wsn
#Define the virtual machine
$VirtualMachine = New-AzVMConfig -VMName VM01 -VMSize "Standard_DS2"
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName VM01 -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC01.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus '2019-Datacenter' -Version latest
#Create the virtual machine
New-AzVM -ResourceGroupName Test-FW-RG -Location "East US" -VM $VirtualMachine -Verbose
In this section of code, we have created the VM along with a password, as shown in the following screenshot. This information needs to be stored for use later:
# Get a Public IP for the firewall
$FWpip = New-AzPublicIpAddress -Name "fw-pip" -ResourceGroupName Test-FW-RG `
-Location "East US" -AllocationMethod Static -Sku Standard
# Create the firewall
$Azfw = New-AzFirewall -Name Test-FW01 -ResourceGroupName Test-FW-RG -Location "East US" -VirtualNetwork $testVnet -PublicIpAddress $FWpip
#Save the firewall private IP address for future use
$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP
The following screenshot displays the newly deployed firewall:
$routeTableDG = New-AzRouteTable `
-Name Firewall-rt-table `
-ResourceGroupName Test-FW-RG `
-location "East US" `
-DisableBgpRoutePropagation
#Create a route
Add-AzRouteConfig `
-Name "DG-Route" `
-RouteTable $routeTableDG `
-AddressPrefix 0.0.0.0/0 `
-NextHopType "VirtualAppliance" `
-NextHopIpAddress $AzfwPrivateIP `
| Set-AzRouteTable
#Associate the route table to the subnet
Set-AzVirtualNetworkSubnetConfig `
-VirtualNetwork $testVnet `
-Name VMSubnet `
-AddressPrefix 10.0.2.0/24 `
-RouteTable $routeTableDG | Set-AzVirtualNetwork
In this section of code, we have created a new route table with a route named DG-Route and associated it with the subnet.
The following screenshot displays the newly created route table:
$AppRule1 = New-AzFirewallApplicationRule -Name Allow-Google -SourceAddress 10.0.2.0/24 `
-Protocol http, https -TargetFqdn www.google.com
$AppRuleCollection = New-AzFirewallApplicationRuleCollection -Name App-Coll01 `
-Priority 200 -ActionType Allow -Rule $AppRule1
$Azfw.ApplicationRuleCollections.Add($AppRuleCollection)
Set-AzFirewall -AzureFirewall $Azfw
In this section of code we have created a new Azure Firewall application rule to allow outbound access to Google.
The following screenshot displays the newly created Azure Firewall application rule:
$NetRule1 = New-AzFirewallNetworkRule -Name "Allow-DNS" -Protocol UDP -SourceAddress 10.0.2.0/24 `
-DestinationAddress 8.8.8.8 -DestinationPort 53
$NetRuleCollection = New-AzFirewallNetworkRuleCollection -Name RCNet01 -Priority 200 `
-Rule $NetRule1 -ActionType "Allow"
$Azfw.NetworkRuleCollections.Add($NetRuleCollection)
Set-AzFirewall -AzureFirewall $Azfw
In this section of code, we have created an Azure Firewall application rule to allow outbound access to Google's DNS server, which is 8.8.8.8 for DNS resolution, as shown in the following screenshot:
$NIC01.DnsSettings.DnsServers.Add("8.8.8.8")
$NIC01 | Set-AzNetworkInterface
Now that we have completed all the required configurations, let's test and confirm the VM and firewall rules:
nslookup www.google.com
nslookup www.microsoft.com
Both commands should return answers, as the DNS queries are allowed through the firewall:
Invoke-WebRequest -Uri https://www.google.com
The preceding command will request the www.google.com website via the PowerShell command-line interface (CLI):
Invoke-WebRequest -Uri https://www.microsoft.com
The screenshot confirms that we cannot resolve www.microsoft.com based on the Azure Firewall configuration rules, which is the expected behavior:
To summarize this demo section, we have learned how to configure Azure Bastion along with an Azure firewall to allow DNS requests to 8.8.8.8 and only allow www.google.com from a browsing perspective and block all other sites.
We encourage you to further read up on Azure Bastion and Azure Firewall by using the following links:
If you want to remove the resources created in this section to avoid further costs, you can run the following command in PowerShell:
Connect-AzAccount Remove-AzResourceGroup -Name Test-FW-RG
The preceding PowerShell commands will remove the RG we created earlier along with all resources within it to ensure there will be no unforeseen costs incurred by the resources for this chapter.
This will help you save additional costs.
In this chapter, we discussed what NSGs are and how to use them to create new rules, as well as how to associate them with a subnet. We also discussed how to evaluate NSG rules based on priority. Lastly, we covered Azure Firewall and Azure Bastion, what they do, and how to configure them via a hands-on demo.
After reading this chapter, you should now know how to secure VNets via an NSG and secure resources by using Azure Bastion and Azure Firewall. In the next chapter, we'll cover how to configure load balancing by using Azure Application Gateway and internal and external load balancers, and how to troubleshoot load balancing.
3.146.206.243