DEV Community

Timothy Pulliam
Timothy Pulliam

Posted on

Azure Network Security Groups

What Are NSGs?

In the age of cloud computing, security has become a top priority for organizations that rely on the cloud to store, process, and transmit data. Azure, Microsoft's cloud computing platform, offers a variety of security features to ensure the confidentiality, integrity, and availability of your data. One such feature is Azure Network Security Groups (NSGs).
Azure NSGs are a tool for implementing network security policies in your virtual networks. They allow you to define inbound and outbound traffic rules that govern the flow of traffic to and from your virtual machines (VMs). By applying NSGs to your VMs and subnets, you can create a secure network environment that minimizes the risk of unauthorized access, data breaches, and other security threats.
Here are some key features and benefits of Azure NSGs:

  1. Traffic filtering: NSGs enable you to define rules that allow or deny traffic based on criteria such as IP addresses, protocols, and ports. You can also create rules that prioritize traffic or limit the amount of traffic allowed.
  2. Network segmentation: By applying NSGs to subnets and VMs, you can segment your network into smaller, more manageable units. This makes it easier to monitor and control network traffic and reduces the risk of lateral movement by attackers.
  3. Integration with other Azure services: NSGs can be used in conjunction with other Azure security services, such as Azure Firewall and Azure Application Gateway, to create a comprehensive security solution.
  4. Logging and monitoring: NSGs provide logging and monitoring capabilities that enable you to track and analyze network traffic. This helps you detect and respond to security incidents and comply with regulatory requirements.
  5. Easy to use: NSGs can be configured using Azure Portal, Azure CLI, Azure PowerShell, or Azure REST API. This flexibility makes it easy to integrate NSGs into your existing workflows and automate security policies.

Azure CLI Example

Here are the Azure CLI commands for creating an Azure Network Security Group:

  1. Create a resource group (if one doesn't already exist):
az group create --name myResourceGroup --location eastus
Enter fullscreen mode Exit fullscreen mode
  1. Create a network security group:
az network nsg create --name myNetworkSecurityGroup --resource-group myResourceGroup --location eastus
Enter fullscreen mode Exit fullscreen mode
  1. Create an inbound security rule:
az network nsg rule create --name allow-http --nsg-name myNetworkSecurityGroup --priority 100 \
--source-address-prefix "*" --source-port-range "*" --destination-address-prefix "*" --destination-port-range 80 \
--access allow --protocol Tcp --description "Allow HTTP traffic"
Enter fullscreen mode Exit fullscreen mode
  1. Create another inbound security rule:
az network nsg rule create --name allow-https --nsg-name myNetworkSecurityGroup --priority 110 \
--source-address-prefix "*" --source-port-range "*" --destination-address-prefix "*" --destination-port-range 443 \
--access allow --protocol Tcp --description "Allow HTTPS traffic"
Enter fullscreen mode Exit fullscreen mode
  1. Create an outbound security rule:
az network nsg rule create --name allow-all --nsg-name myNetworkSecurityGroup --priority 100 \
--source-address-prefix "*" --source-port-range "*" --destination-address-prefix "*" --destination-port-range "*" \
--access allow --protocol "*" --description "Allow all outbound traffic"
Enter fullscreen mode Exit fullscreen mode

These Azure CLI commands create an Azure Network Security Group resource called myNetworkSecurityGroup, along with three security rules: allow-http, allow-https, and allow-all. You can modify the parameters of these commands to suit your specific security requirements.

Terraform Example

Here's an example Terraform code for creating an Azure Network Security Group:

# Configure the Azure provider
provider "azurerm" {
 features {}
}
# Create a new resource group
resource "azurerm_resource_group" "example" {
 name = "example-rg"
 location = "eastus"
}
# Create a new network security group
resource "azurerm_network_security_group" "example" {
 name = "example-nsg"
 location = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name
# Define inbound security rules
 security_rule {
 name = "allow-http"
 priority = 100
 direction = "Inbound"
 access = "Allow"
 protocol = "Tcp"
 source_port_range = "*"
 destination_port_range = "80"
 source_address_prefix = "*"
 destination_address_prefix = "*"
 }
security_rule {
 name = "allow-https"
 priority = 110
 direction = "Inbound"
 access = "Allow"
 protocol = "Tcp"
 source_port_range = "*"
 destination_port_range = "443"
 source_address_prefix = "*"
 destination_address_prefix = "*"
 }
# Define outbound security rules
 security_rule {
 name = "allow-all"
 priority = 100
 direction = "Outbound"
 access = "Allow"
 protocol = "*"
 source_port_range = "*"
 destination_port_range = "*"
 source_address_prefix = "*"
 destination_address_prefix = "*"
 }
}
Enter fullscreen mode Exit fullscreen mode

This Terraform code creates a new Azure Network Security Group resource called example-nsg and associates it with a new resource group called example-rg. The security_rule blocks define inbound and outbound traffic rules, allowing HTTP and HTTPS traffic inbound, and all traffic outbound. You can modify these rules to suit your specific security requirements.
Here are the Terraform commands to run the code:

  1. terraform init: This command initializes the working directory and downloads any necessary providers or modules.
  2. terraform plan: This command creates an execution plan that shows what actions Terraform will take when you apply the configuration. It also shows any errors or warnings that need to be addressed before applying the configuration.
  3. terraform apply: This command applies the configuration and creates the Azure Network Security Group resource.
  4. terraform destroy: This command destroys the created resources, including the Azure Network Security Group resource. To run these commands, navigate to the directory containing the Terraform code in your terminal or command prompt, and run the commands in order. You'll need to authenticate with your Azure account credentials during the terraform init and terraform apply commands.

Summary

In summary, Azure Network Security Groups are a powerful tool for implementing network security policies in your virtual networks. By defining traffic rules and applying them to your VMs and subnets, you can create a secure network environment that minimizes the risk of security breaches and data loss. With their integration with other Azure security services and easy-to-use configuration options, NSGs are a valuable addition to any organization's cloud security toolkit.

Top comments (0)