cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Network Security Groups

Greg Zygadlo
Brass Contributor

‎May 19 2019 08:27 AM - last edited on ‎May 24 2021 02:35 PM by

‎May 19 2019 08:27 AM - last edited on ‎May 24 2021 02:35 PM by

Network Security Groups

After looking at Azure Security Center recommendations that not all my VM's have NSG's and probably a policy I need to create requiring it.  On the ones that do created there are three rules that are automatically created.

 

The first one which is basically a allow all rule, and not sure if I missing something, but when looking at that rule you would never get to the deny rule.  The reason I'm saying this is because when you look at the source/destination of the Virtual network its 0.0.0.0/0 which is basically any.

 

While Azure does come with a default set of service tags, all that does it put the source/destination in for you by using that tag.  If you never want to get to these rules, then you really need to put rules ahead of them if traffic needs to be restricted.

 

The other issue I have with NSG's that its like the old firewall days where its Source (IP), Destination (IP) and Ports, compared to most of your NGFW's, that have become Application based especially for those applications that use multiple ports/dynamic ports.

 

While I'm not an expert on this, this is just some of my 2 cents on it.

1,765 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by Greg Zygadlo (Brass Contributor)
Hannes_LG

‎May 20 2019 12:45 PM

‎May 20 2019 12:45 PM

Solution

Re: Network Security Groups

Hi,

take a look at my blog post:
http://cloudblogger.at/2019/05/11/azure-loadbalancer-acl-rules/

The last rule will affect, when you have a public IP (VM, LB,..)
If you want to drop any traffic to the IP, you have to define a separate drop rule with the priority 4096 but keep in mind, when you drop ANY you cannot create a loadbalancer because the health checks will also be dropped.

If the azure NSGs doesn't fit your requirements you can use an Azure Firewall or a third party application like CheckPoint, Cisco ASA,...

Regards,
Hannes
0 Likes
Reply
Greg Zygadlo

‎May 20 2019 05:20 PM

‎May 20 2019 05:20 PM

Re: Network Security Groups

@Hannes_LG

 

That was a good blog post. 

 

I currently am using a NGFW inside of Azure, but because I don't have security groups applied to ever VM, it gives me a recommendation about it.

0 Likes
Reply
Hannes_LG

‎May 20 2019 11:20 PM

‎May 20 2019 11:20 PM

Re: Network Security Groups

Hi,

my recommendation to NSGs is, always bound to a subnet and only in special situations to a VM nic.

Regards,
Hannes
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Greg Zygadlo (Brass Contributor)
Hannes_LG

‎May 20 2019 12:45 PM

‎May 20 2019 12:45 PM

Solution

Re: Network Security Groups

Hi,

take a look at my blog post:
http://cloudblogger.at/2019/05/11/azure-loadbalancer-acl-rules/

The last rule will affect, when you have a public IP (VM, LB,..)
If you want to drop any traffic to the IP, you have to define a separate drop rule with the priority 4096 but keep in mind, when you drop ANY you cannot create a loadbalancer because the health checks will also be dropped.

If the azure NSGs doesn't fit your requirements you can use an Azure Firewall or a third party application like CheckPoint, Cisco ASA,...

Regards,
Hannes

View solution in original post

0 Likes
Reply