Cloud Computing - Azure

Lab7 – Understanding Features of Network Security Group - Azure

Network Security Group (NSG)

You can filter network traffic to and from Azure resources in an Azure
virtual network with a network security group. A network security
group contains security rules that allow or deny inbound network traffic
to, or outbound network traffic from, several types of Azure resources.
To learn about which Azure resources can be deployed into a virtual
network and have network security groups associated to them, see
Virtual network integration for Azure services. For each rule, you can
specify source and destination, port, and protocol.

This article explains network security group concepts, to help you use
them effectively. If you've never created a network security group, you
can complete a quick tutorial to get some experience creating one. If
you're familiar with network security groups and need to manage
them, see Manage a network security group. If you're having
communication problems and need to troubleshoot network security
groups, see Diagnose a virtual machine network traffic filter problem.
You can enable network security group flow logs to analyze network
traffic to and from resources that have an associated network security
group.

Security rules

A network security group contains zero, or as many rules as desired,

within Azure subscription limits. Each rule specifies the following
properties:

Page 1 of 88
Cloud Computing - Azure

Property

Explanation

Name

A unique name within the network security group.

Priority

A number between 100 and 4096. Rules are processed in priority

order, with lower numbers processed before higher numbers, because
lower numbers have higher priority. Once traffic matches a rule,
processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher
priorities are not processed.

Source or destination

Any, or an individual IP address, classless inter-domain routing (CIDR)

block (10.0.0.0/24, for example), service tag, or application security
group. If you specify an address for an Azure resource, specify the
private IP address assigned to the resource. Network security groups
are processed after Azure translates a public IP address to a private IP
address for inbound traffic, and before Azure translates a private IP
address to a public IP address for outbound traffic. Learn more about
Azure IP addresses. Specifying a range, a service tag, or application
security group, enables you to create fewer security rules. The ability
to specify multiple individual IP addresses and ranges (you cannot
specify multiple service tags or application groups) in a rule is referred
to as augmented security rules. Augmented security rules can only be
created in network security groups created through the Resource
Manager deployment model. You cannot specify multiple IP addresses
and IP address ranges in network security groups created through the
classic deployment model. Learn more about Azure deployment
models.

Page 2 of 88
Cloud Computing - Azure

Protocol

TCP, UDP, or Any, which includes TCP, UDP, and ICMP. You cannot
specify ICMP alone, so if you require ICMP, use Any.

Direction

Whether the rule applies to inbound, or outbound traffic.

Port range

You can specify an individual or range of ports. For example, you could
specify 80 or 10000-10005. Specifying ranges enables you to create
fewer security rules. Augmented security rules can only be created in
network security groups created through the Resource Manager
deployment model. You cannot specify multiple ports or port ranges in
the same security rule in network security groups created through the
classic deployment model.

Action

Allow or deny

Network security group security rules are evaluated by priority using

the 5-tuple information (source, source port, destination, destination
port, and protocol) to allow or deny the traffic. A flow record is created
for existing connections. Communication is allowed or denied based on
the connection state of the flow record. The flow record allows a
network security group to be stateful. If you specify an outbound
security rule to any address over port 80, for example, it's not
necessary to specify an inbound security rule for the response to the
outbound traffic. You only need to specify an inbound security rule if
communication is initiated externally. The opposite is also true. If
inbound traffic is allowed over a port, it's not necessary to specify an
outbound security rule to respond to traffic over the port. Existing
connections may not be interrupted when you remove a security rule
that enabled the flow. Traffic flows are interrupted when connections
are stopped and no traffic is flowing in either direction, for at least a
few minutes.
Page 3 of 88
Cloud Computing - Azure

Topology:

Page 4 of 88
Cloud Computing - Azure

In Azure portal, click “Resource Groups”

Page 5 of 88
Cloud Computing - Azure

In “Resource Groups” click “Add”.

Page 6 of 88
Cloud Computing - Azure

While creating “Resource Group”

Type “Resource Group name” as “SansboundAzureClass”.

“Subscription” as “Free Trial”.

Select “Resource Group Location” as “South India”.

Page 7 of 88
Cloud Computing - Azure

Click “Create” to create a new “Resource Group”

Page 8 of 88
Cloud Computing - Azure

Click “Refresh” to view the newly created “Resource Groups”.

Page 9 of 88
Cloud Computing - Azure

In Azure portal, click “Virtual networks” in left side panel.

Page 10 of 88
Cloud Computing - Azure

In “Virtual networks” click “Add”.

Page 11 of 88
Cloud Computing - Azure

While “Create virtual network”

Specify “Name” as “SANS-VNET”.

Specify “Address space” as 10.0.0.0/16

“Subscription” as “Free Trial”.

Page 12 of 88
Cloud Computing - Azure

In “Resource group” click drop down list to select “SansboundAzureClass”.

Page 13 of 88
Cloud Computing - Azure

In “Subnet”, specify the Subnet name as “Sans-Subnet”.

Specify “Address range” as 10.0.1.0/24

Page 14 of 88
Cloud Computing - Azure

Click “Create”.

Page 15 of 88
Cloud Computing - Azure

In “Virtual networks”, click “Refresh”.

To view Virtual Network “SANS-VNET”

Page 16 of 88
Cloud Computing - Azure

Click “Virtual machines” in left side panel.

Page 17 of 88
Cloud Computing - Azure

In “Virtual machines” click “Add”.

Page 18 of 88
Cloud Computing - Azure

In “Instance details”

Type “Virtual machine name” as “WindowsVM-Azure”.

Select “Region” as “South India”.

Select OS “Image” as “Windows Server 2008 R2 SP1”.

Change “VM Size” as “Standard B1s”.

Page 19 of 88
Cloud Computing - Azure

In “Administrator Account”.

Type “Username” as “sansbound”.

Page 20 of 88
Cloud Computing - Azure

In “Save Money”

Click “Yes”.

Need to check “Confirmation” box.

Page 21 of 88
Cloud Computing - Azure

Click “Next : Disks >”.

Page 22 of 88
Cloud Computing - Azure

In “Disks”,

Leave default and click “Next : Networking>”.

Page 23 of 88
Cloud Computing - Azure

In “Networking”

Click “NIC network security group” as “None”.

Page 24 of 88
Cloud Computing - Azure

Click “Next : Management>”.

Page 25 of 88
Cloud Computing - Azure

In “Management”.

Set “Boot Diagnostics” as “Off”.

Page 26 of 88
Cloud Computing - Azure

Click “Next : Guest config>”.

Page 27 of 88
Cloud Computing - Azure

In “Guest config”

Click “Next : Tags >”.

Page 28 of 88
Cloud Computing - Azure

In “Tags”.

Click “Next : Review + Create”.

Page 29 of 88
Cloud Computing - Azure

Click “Create”.

Page 30 of 88
Cloud Computing - Azure

Once you have successfully deployed Virtual machine, then click “Virtual machines”.

Page 31 of 88
Cloud Computing - Azure

In “Virtual machines”,

Click “Add” to create new virtual machine.

Page 32 of 88
Cloud Computing - Azure

While creating Virtual machine,

Select “Resource Group” as “SansboundAzureClass”.

Type “Virtual machine name” as “UbuntuVM-Azure”.

Select “Region” as “South India”.

Select “Image” as “Ubuntu Server 18.04 LTS”.

Change “VM Size” as “Standard B1s”.

Page 33 of 88
Cloud Computing - Azure

In “Administrator Account” set authentication type as “Password”.

Type “Username” as “sansbound”.

Page 34 of 88
Cloud Computing - Azure

Click “Next : Disks>”.

Page 35 of 88
Cloud Computing - Azure

In “Disks”

Click “Next : Networking >”.

Page 36 of 88
Cloud Computing - Azure

Ensure that Virtual network as “SANS-VNET”.

Subnet “Sans-Subnet”.

Public IP as new IP for Ubuntu VM

In Network Security Group click as “None”.

Page 37 of 88
Cloud Computing - Azure

Click “Next : Management>”.

Page 38 of 88
Cloud Computing - Azure

In “Management”

Click “Next : Guest config >”.

Page 39 of 88
Cloud Computing - Azure

In “Guest config”.

Click “Next : Tags>”.

Page 40 of 88
Cloud Computing - Azure

Click “Tags”.

Click “Next : Review + Create>”.

Page 41 of 88
Cloud Computing - Azure

Click “Create”.

Page 42 of 88
Cloud Computing - Azure

You have successfully deployed.

Click “All Services” in left side panel of Azure portal.

Page 43 of 88
Cloud Computing - Azure

In “All resources” click “Add”.

Page 44 of 88
Cloud Computing - Azure

In “Azure Marketplace”

Click “Networking”  “Network Security Group”

Page 45 of 88
Cloud Computing - Azure

While creating “Network Security Group”

Type “Network Security Group” name as “NSG-AllowRDPSSH”.

Select “Resource Group” as “SansboundAzureClass”.

Select “Region” as “South India”.

Page 46 of 88
Cloud Computing - Azure

Click “Create”.

Page 47 of 88
Cloud Computing - Azure

In “All resources”.

You are able to see the Network Security group.

Click “NSG-AllowRDPSSH”.

Page 48 of 88
Cloud Computing - Azure

In “NSG-AllowRDPSSH” network security group.

In “Inbound security rules” is a rule which allows user specified traffic from public network.

By default, it will deny all inbound traffic.

Page 49 of 88
Cloud Computing - Azure

In “Outbound Security rules”

In “Outbound security rules” is a rule which allows user specified traffic from internal network of Azure
(Private) to public network for access internet.

By default, it will deny all outbound traffic except Internet access and VNet outbound traffic.

Page 50 of 88
Cloud Computing - Azure

In “Network Security Group”

Click “Inbound security rules”.

Click “Add”.

I have required to create rules for allow RDP (3389) and SSH (22) Ports for this Network security group.

Page 51 of 88
Cloud Computing - Azure

While creating inbound security rule

Source : Any

Source port ranges : *

Destination : Any

Destination port ranges : 3389

Protocol : TCP

Action : Allow

Priority : 100

Name : AllowRDP :

Page 52 of 88
Cloud Computing - Azure

Click “Add”.

Page 53 of 88
Cloud Computing - Azure

You are able to see that Inbound security rules has been created with priority “100”. RDP is not
recommended to access the server through public. That is the reason it shows warning.

Page 54 of 88
Cloud Computing - Azure

Click “Add”.

Page 55 of 88
Cloud Computing - Azure

While creating inbound security rule

Source : Any

Source port ranges : *

Destination : Any

Destination port ranges : 22

Protocol : TCP

Action : Allow

Priority : 110

Name : AllowSSH

Page 56 of 88
Cloud Computing - Azure

Click “Add”.

Page 57 of 88
Cloud Computing - Azure

You are able to see 100 & 110 inbound security rules are created.

While any inbound traffic come from outside first it will check the lowest priority rule “100” if the traffic
is allowed in that rule it will match and allow. Otherwise it will check next priority rule.

Page 58 of 88
Cloud Computing - Azure

Click on “Outbound security Rules”

By default it will allow Internet (any protocol and and any port) from azure virtual machine to public.

Page 59 of 88
Cloud Computing - Azure

Click “Network interfaces”.

Click “Associate”.

Page 60 of 88
Cloud Computing - Azure

In “Associate network interface”

You are able to see list of VM’s Network interface(s) which you have created.

Now am able to see the Ubuntu VM and Windows VM network interface.

Note: If you have checked any one of the network interface, NSG (Network Security Group) will be
associated only for that particular network interface simultaneously. If you have required to apply
the same NSG to other VM(s) also, in that case you will click on the “Network interface” named
manually. I will click on “Ubuntuvm-azure19”.

Page 61 of 88
Cloud Computing - Azure

In “Network Interfaces”

You are able to see that “UbuntuVM-Azure” has been successfully associated.

Page 62 of 88
Cloud Computing - Azure

In “Network Interfaces” click “Associate”

Page 63 of 88
Cloud Computing - Azure

By default “Windows-VM” network interface has been selected. Because existing network interface has
been already associated.

Click on “windowsvm-azure134”.

Page 64 of 88
Cloud Computing - Azure

Now you are able to see that Windows VM network interface also associated with “NSG-AllowRDPSSH”
network security group.

Page 65 of 88
Cloud Computing - Azure

We have understood the features of “Network Interfaces” in “Network Security Group”.

Select “ubuntuvm-azure19” and click on ”…” you need to click “Dissociate”.

Page 66 of 88
Cloud Computing - Azure

Click “Yes” to dissociate the network from ubuntuvm.

Page 67 of 88
Cloud Computing - Azure

Select “windowsvm” and click on “…”

Click “Dissociate”.

Page 68 of 88
Cloud Computing - Azure

Click “Yes”.

Page 69 of 88
Cloud Computing - Azure

In “Network Interfaces”

There is no network interfaces are associated with Network Security Group (NSG).

Page 70 of 88
Cloud Computing - Azure

In “Network Security Group” click “Subnets”

In “Subnets” click “Associate”.

Page 71 of 88
Cloud Computing - Azure

In “Associate subnet”

Click on “Choose a virtual network”.

Page 72 of 88
Cloud Computing - Azure

Click on “SANS-VNET”.

Page 73 of 88
Cloud Computing - Azure

In “Choose a subnet” Click on “Sans-Subnet”.

Page 74 of 88
Cloud Computing - Azure

Click “Ok”.

Page 75 of 88
Cloud Computing - Azure

In “Network Security Group”

“NSG-AllowRDPSSH” Network Security Group has been associated with Sans-Subnet (10.0.1.0/24) of
“SANS-VNET”.

Page 76 of 88
Cloud Computing - Azure

In Dashboard, click “Virtual machines”.

Click on “WindowsVM-Azure” virtual machine.

Page 77 of 88
Cloud Computing - Azure

Kindly note the public IP address of “Windows Server 2008 R2”.

Page 78 of 88
Cloud Computing - Azure

Type “mstsc” in your local machine to access the “Windows Server 2008 R2” remotely.

Type the public IP address of Windows server in Remote Desktop Connection console and click
“Connect”.

Page 79 of 88
Cloud Computing - Azure

Type Username and Password for the Windows 2008 Server R2 which you have provided in Azure portal
while creating a virtual machine.

Click “Ok”.

Page 80 of 88
Cloud Computing - Azure

Click “Yes”.

Page 81 of 88
Cloud Computing - Azure

You have accessed windows server through remote successfully.

In Windows Server 2008 R2, I can able to access the internet because the network 10.0.1.0/24 subnet is
belongs to Public Network (publicly accessible).

Page 82 of 88
Cloud Computing - Azure

In Dashboard, click “Virtual machines”.

In “Virtual machines”, click on “UbuntuVM-Azure”.

Page 83 of 88
Cloud Computing - Azure

Kindly note the public address provided by azure to access the Ubuntu through SSH.

Page 84 of 88
Cloud Computing - Azure

Click “Open” to connect “Ubuntu”.

Page 85 of 88
Cloud Computing - Azure

Click “Yes”.

Page 86 of 88
Cloud Computing - Azure

Type user name of the Ubuntu server as “sansbound” and press “Enter”.

Page 87 of 88
Cloud Computing - Azure

I have successfully logged into the Ubuntu VM successfully.

Earlier days we have created Network Security Group and Allow the required ports while
creating the Virtual machine.

But, today we have created Network Security Group manually and understood its features like
associate the Network Security Group with Network Interface / Subnet. If we associate the Network
Security Group it will applicable for the VM’s in entire subnet.

Page 88 of 88