SOLVED
Home

Network Security Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-613909%22%20slang%3D%22en-US%22%3ENetwork%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-613909%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20looking%20at%20Azure%20Security%20Center%20recommendations%20that%20not%20all%20my%20VM's%20have%20NSG's%20and%20probably%20a%20policy%20I%20need%20to%20create%20requiring%20it.%26nbsp%3B%20On%20the%20ones%20that%20do%20created%20there%20are%20three%20rules%20that%20are%20automatically%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20one%20which%20is%20basically%20a%20allow%20all%20rule%2C%20and%20not%20sure%20if%20I%20missing%20something%2C%20but%20when%20looking%20at%20that%20rule%20you%20would%20never%20get%20to%20the%20deny%20rule.%26nbsp%3B%20The%20reason%20I'm%20saying%20this%20is%20because%20when%20you%20look%20at%20the%20source%2Fdestination%20of%20the%20Virtual%20network%20its%200.0.0.0%2F0%20which%20is%20basically%20any.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20Azure%20does%20come%20with%20a%20default%20set%20of%20service%20tags%2C%20all%20that%20does%20it%20put%20the%20source%2Fdestination%20in%20for%20you%20by%20using%20that%20tag.%26nbsp%3B%20If%20you%20never%20want%20to%20get%20to%20these%20rules%2C%20then%20you%20really%20need%20to%20put%20rules%20ahead%20of%20them%20if%20traffic%20needs%20to%20be%20restricted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20issue%20I%20have%20with%20NSG's%20that%20its%20like%20the%20old%20firewall%20days%20where%20its%20Source%20(IP)%2C%20Destination%20(IP)%20and%20Ports%2C%20compared%20to%20most%20of%20your%20NGFW's%2C%20that%20have%20become%20Application%20based%20especially%20for%20those%20applications%20that%20use%20multiple%20ports%2Fdynamic%20ports.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20I'm%20not%20an%20expert%20on%20this%2C%20this%20is%20just%20some%20of%20my%202%20cents%20on%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-613909%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-617783%22%20slang%3D%22en-US%22%3ERe%3A%20Network%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-617783%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3Etake%20a%20look%20at%20my%20blog%20post%3A%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fcloudblogger.at%2F2019%2F05%2F11%2Fazure-loadbalancer-acl-rules%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcloudblogger.at%2F2019%2F05%2F11%2Fazure-loadbalancer-acl-rules%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20last%20rule%20will%20affect%2C%20when%20you%20have%20a%20public%20IP%20(VM%2C%20LB%2C..)%3CBR%20%2F%3EIf%20you%20want%20to%20drop%20any%20traffic%20to%20the%20IP%2C%20you%20have%20to%20define%20a%20separate%20drop%20rule%20with%20the%20priority%204096%20but%20keep%20in%20mind%2C%20when%20you%20drop%20ANY%20you%20cannot%20create%20a%20loadbalancer%20because%20the%20health%20checks%20will%20also%20be%20dropped.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20the%20azure%20NSGs%20doesn't%20fit%20your%20requirements%20you%20can%20use%20an%20Azure%20Firewall%20or%20a%20third%20party%20application%20like%20CheckPoint%2C%20Cisco%20ASA%2C...%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EHannes%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-621152%22%20slang%3D%22en-US%22%3ERe%3A%20Network%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-621152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289860%22%20target%3D%22_blank%22%3E%40Hannes_LG%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20was%20a%20good%20blog%20post.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20currently%20am%20using%20a%20NGFW%20inside%20of%20Azure%2C%20but%20because%20I%20don't%20have%20security%20groups%20applied%20to%20ever%20VM%2C%20it%20gives%20me%20a%20recommendation%20about%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-622010%22%20slang%3D%22en-US%22%3ERe%3A%20Network%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-622010%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3Emy%20recommendation%20to%20NSGs%20is%2C%20always%20bound%20to%20a%20subnet%20and%20only%20in%20special%20situations%20to%20a%20VM%20nic.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EHannes%3C%2FLINGO-BODY%3E
Greg Zygadlo
Occasional Contributor

After looking at Azure Security Center recommendations that not all my VM's have NSG's and probably a policy I need to create requiring it.  On the ones that do created there are three rules that are automatically created.

 

The first one which is basically a allow all rule, and not sure if I missing something, but when looking at that rule you would never get to the deny rule.  The reason I'm saying this is because when you look at the source/destination of the Virtual network its 0.0.0.0/0 which is basically any.

 

While Azure does come with a default set of service tags, all that does it put the source/destination in for you by using that tag.  If you never want to get to these rules, then you really need to put rules ahead of them if traffic needs to be restricted.

 

The other issue I have with NSG's that its like the old firewall days where its Source (IP), Destination (IP) and Ports, compared to most of your NGFW's, that have become Application based especially for those applications that use multiple ports/dynamic ports.

 

While I'm not an expert on this, this is just some of my 2 cents on it.

3 Replies
Solution
Hi,

take a look at my blog post:
http://cloudblogger.at/2019/05/11/azure-loadbalancer-acl-rules/

The last rule will affect, when you have a public IP (VM, LB,..)
If you want to drop any traffic to the IP, you have to define a separate drop rule with the priority 4096 but keep in mind, when you drop ANY you cannot create a loadbalancer because the health checks will also be dropped.

If the azure NSGs doesn't fit your requirements you can use an Azure Firewall or a third party application like CheckPoint, Cisco ASA,...

Regards,
Hannes

@Hannes_LG

 

That was a good blog post. 

 

I currently am using a NGFW inside of Azure, but because I don't have security groups applied to ever VM, it gives me a recommendation about it.

Hi,

my recommendation to NSGs is, always bound to a subnet and only in special situations to a VM nic.

Regards,
Hannes
Related Conversations