Forum Discussion

gzygadlo's avatar
gzygadlo
Brass Contributor
May 19, 2019
Solved

Network Security Groups

After looking at Azure Security Center recommendations that not all my VM's have NSG's and probably a policy I need to create requiring it.  On the ones that do created there are three rules that are automatically created.

 

The first one which is basically a allow all rule, and not sure if I missing something, but when looking at that rule you would never get to the deny rule.  The reason I'm saying this is because when you look at the source/destination of the Virtual network its 0.0.0.0/0 which is basically any.

 

While Azure does come with a default set of service tags, all that does it put the source/destination in for you by using that tag.  If you never want to get to these rules, then you really need to put rules ahead of them if traffic needs to be restricted.

 

The other issue I have with NSG's that its like the old firewall days where its Source (IP), Destination (IP) and Ports, compared to most of your NGFW's, that have become Application based especially for those applications that use multiple ports/dynamic ports.

 

While I'm not an expert on this, this is just some of my 2 cents on it.

security
Security and Compliance Center
  • Hannes_LG's avatar
    Hannes_LG
    May 20, 2019
    Hi,

    take a look at my blog post:
    http://cloudblogger.at/2019/05/11/azure-loadbalancer-acl-rules/

    The last rule will affect, when you have a public IP (VM, LB,..)
    If you want to drop any traffic to the IP, you have to define a separate drop rule with the priority 4096 but keep in mind, when you drop ANY you cannot create a loadbalancer because the health checks will also be dropped.

    If the azure NSGs doesn't fit your requirements you can use an Azure Firewall or a third party application like CheckPoint, Cisco ASA,...

    Regards,
    Hannes

3 Replies

Sort By
  • Hannes_LG's avatar
    Hannes_LG
    Brass Contributor
    May 20, 2019
    Hi,

    take a look at my blog post:
    http://cloudblogger.at/2019/05/11/azure-loadbalancer-acl-rules/

    The last rule will affect, when you have a public IP (VM, LB,..)
    If you want to drop any traffic to the IP, you have to define a separate drop rule with the priority 4096 but keep in mind, when you drop ANY you cannot create a loadbalancer because the health checks will also be dropped.

    If the azure NSGs doesn't fit your requirements you can use an Azure Firewall or a third party application like CheckPoint, Cisco ASA,...

    Regards,
    Hannes
    • gzygadlo's avatar
      gzygadlo
      Brass Contributor
      May 21, 2019

      Hannes_LG

       

      That was a good blog post. 

       

      I currently am using a NGFW inside of Azure, but because I don't have security groups applied to ever VM, it gives me a recommendation about it.

      • Hannes_LG's avatar
        Hannes_LG
        Brass Contributor
        May 21, 2019
        Hi,

        my recommendation to NSGs is, always bound to a subnet and only in special situations to a VM nic.

        Regards,
        Hannes

Resources