This hands-on lab provides an Azure administrator with an understanding of how to establish basic network security controls within a Microsoft Azure virtual network. You will learn how to set up Application Security Groups to manage security based on the applications used in your environment. Then you will create a firewall and create and configure a route table for controlling routes in and out of your virtual network. Then you will configure rules on your firewall to allow specific subnets to access domain names over port HTTPS and allow your internal networks to perform DNS lookups for name resolution over port 53(UDP).
Understand the scenario
You're an Azure administrator assigned to improve the security of an application hosted in Azure. You need to limit the ability to connect using SSH to any virtual machine in the frontend subnet of the application. You need to provision a firewall and force traffic from both the front and backend subnets to use the firewall. You will reconfigure an existing incoming security rule to filter the destination to only the backend subnet using a new application security group. Then you will configure a firewall with an application rule to allow traffic only to Azure Pipelines and a network rule to allow DNS queries.
Configure an application security group:
Azure Application Security Groups (ASGs) enable you to configure network security as an extension of an application's structure. ASGs allow you to logically group VMs and define your network's security policies based on the VM groupings (i.e., associated applications).
Create a firewall and route table:
The Azure Firewall service protects your Azure Virtual Network resources. It is a stateful firewall, with built-in high availability, and unrestricted cloud scalability. In this lesson, you will create a firewall and a route table that will force ingress and egress traffic through the firewall. A route table is a set of rules, called routes, and defines how packets should be routed through your network. Route tables are connected to subnets, and each packet traversing a subnet is directed to resources via the route table. For this task, you will create a route table and associate it with the frontend and backend subnets of your virtual network.
Configure the firewall:
Implementing thoughtful rules on your firewalls is a best security practice to minimize risk and exposure. In this lesson, you will get hands on experience building firewall rules to explicitly allow specific IP addresses (or subnets) to access specific ports (services). You will create an application rule that Allows connectivity from an IP subnet that supports your Azure Pipelines (devops) to access two FQDNs over HTTPS. Then you will create a network rule that permits your internal network to access DNS over port 53(UDP). These are just two examples of the kind of traffic you would consider to explicitly permit from within your network. Implementing thoughtful rules on your firewalls is a best security practice to minimize risk and exposure.
Lab Summary Conclusion:
In this hands-on virtual lab, you will learn how to create and manage application security groups, firewalls, and route tables. These are foundational aspects to ensuring security within your Microsoft Azure virtual network. The skills you will learn in this lesson will help you become a Network Engineer or Security Architect for Azure environments.
Other Challenges in this series
- GUIDED CHALLENGE: Configure a Network Security Group in a Virtual Network
- GUIDED CHALLENGE: Configure Route Tables in a Virtual Network