Network Security Groups (NSG)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

7 hours 46 minutes
Video Transcription
Hello and welcome back to Cyber Reese, Microsoft Azure Administrator Easy 103 course I'm your instructor, Will Carlson. And this is Episode 39 network security groups.
In this episode, we're goingto understand what a network security group really is. And what resource is it associates with here and azure? We're also going to discuss and configure a network security group rule.
And then lastly, we're going to walk through a way that we can troubleshoot when things are not operating the way that we expect in regards to a network security group.
We're gonna go right here into portal, and the first thing I want to mention about network security groups is that they're going to be associated with sub nets and network interface cards. Typically, this is going to be a sub net most often when you would find a network security group associated with the virtual machine.
That's gonna be because the virtual machine is running as a
network virtual appliance. So essentially you've got a virtualized copy of firewall software or router software running on that particular virtual machine. Then you would typically associate a network security group with the nick running on that B m
to create a network security group. We're gonna come up here to create a resource, and we're gonna search for Network Security Group
and then we're gonna select create from the marketplace. We're gonna go ahead and name this network security group.
We're gonna call this Allow Rdp. We're gonna leave this on our free trial subscription.
We're gonna associate it with our I T resource group and then we can collect create. And while that's creating, I wanna point out another thing here about network security groups. And that's that every Nick or sub net can have zero or one network security group associate ID. It cannot be more than one.
Now a network security group can be applied to multiple Knicks or multiple sub nets,
but not the other way around.
That makes a little bit of sins. If we had multiple network security groups associated with a sub net, the chances for conflicts would be really high. So that's not allowed.
Now that our network security group has finished deploying, we can come up here to all service's and search for network security groups to see those that we have.
This is the network security group that we just created. And if I go ahead and click on that network security group, I can see all of the default security settings here in the security group itself.
And we can see illustrated here something that we've talked about previously in this course, and that's that all traffic between sub nets within a virtual network are going to be allowed.
You can also see that inbound traffic from load balancers is allowed by default and that outbound traffic from the virtual network is allowed. This is Internet based traffic here as well and outbound to other virtual networks. Also, so all traffic between virtual networks and and outbound is allowed by default
as your load balancer is allowed in
and Internet is allowed out bound by default.
So if we want to change these network security group rules, we can come over here under settings and change the rules, either inbound or outbound. For the second this example, we're going to select inbound security rules,
and I'm going to select add,
And if you're familiar with configuring firewall rules, this interface should look very similar to you. We're going to select the source or where the traffic is coming from. Remember, this is an inbound rule,
and I can sit this to an I P address
a service tag of another machine
or another application security group. We're gonna go ahead and leave this any
we're gonna leave the sore sport range also set to any
now we could set the destination using very similar options that we had from the source I p address Virtual network and Applications Security group. So if I only want to do allow 33 89 from a particular virtual network into wherever this NSG was applied, I could do so by selecting virtual network.
But we'll leave. It is any again here as well.
And then I'll select my destination port. And for this case, I would select 33 89 for our DP
And I can also come down here and select a name that's a little more descriptive than this
and put in a description.
But one thing that's definitely worth mentioned is going to be this priority number, and this number is relatively important because it sets the order of precedence of how these rules are applied.
Network Security group rules here in Azure are going to be applied very similar to firewall policies, and you're on prem service. They're going to be applied in a top down manner. So adding this with a priority of 100 let's select, adhere and see
is going to put this network security group rule at the top of the list. If I had put this group down here as 66,000 it never would get hit because the denial inbound would be triggered before our port 33 89 rule ever had a chance of getting contacted.
It's also important here when setting the priority number tow. Leave yourself some space In these priorities.
It may seem sensible to go ahead and start our first NSG rule as Priority one to make sure that it always gets implemented.
But what happens when down the road you need to put another policy ahead of that policy that's already in position? Number one?
Well, if we only have two policies, that's not too bad. We would increment number one down to number two and put the new one at number one.
But if we had ah 100 policies down below one increment ID from 1 to 100 we needed to put one ahead of it. We would have a lot of work to do, changing the priority for all of those network security group rules.
So it's advisable, and Azure has gone ahead and done us a favor of giving us 100 slots to go before this particular rule.
It's also a good idea that for the next rule, we put in line not to make it 101 league ourselves a little bit of room. Maybe we could make this 110 maybe 125 is a good number that's completely up to you. But it's really advised that you leave space between the priorities here in your network security group rules
so that your environment has time to grow and change.
We could do the same thing here for outbound security rules as well, in the process is exactly the same.
Now we can click on down to network interfaces, and we can see what network interfaces this network security group is associated with.
As this isn't the typical way this will be set up. We're gonna go ahead and select down here onto sub nets
and to associate a sub net with this network security group, I'm gonna select on associate.
I'm gonna select to choose my virtual network.
We're gonna select the IittIe Resource Group
Virtual Network,
and we're gonna choose the default sub net and we're going to select. Okay?
And now I've associated this new network security group with my I t resource Group V net default sub net of tim 0.0 dot 0.0 slash 24 traffic to port 33 89 is now gonna be open from the public Internet in.
Now that we have Oliver network security groups set up in allowing traffic we want and blocking traffic that we don't what happens when things are not working the way that we expect?
All we have to do is come down here into effective security rules and this tools gonna evaluate the policies or this rules that are being applied to this particular virtual machine.
Now that that evaluations completed, I can see here that the first rule in this network security group is to allow 33 89 in from anywhere from any source sport.
And if I come here to the aptly named already P block. I can see that this network security group rule is blocking 33 89. So I have a policy or a rule mismatch here, and that's what's gonna be causing my problems. So
Azure does allow us some tools to be able to troubleshoot when things were not going the way that we expect for network security group rules.
In this episode, we talked about the fact that network security groups are going to be deployed on sub nets or network interface cards, but typically on sub nets. We also talked about the fact that a sub net or a nick can have zero or one network security group only,
and that a network security group can be applied to multiple sub nets or network interface cards.
We also walked through a tool that we can use to troubleshoot when things were not going well for us with our network security group rules and we configured an inbound security group rule as well.
Coming up next, we're gonna begin our discussion about peering, which is a way that we can set up communication between two totally separate virtual networks here in Azure. Thanks for joining me today, and I'm looking forward to the next episode
Up Next
AZ-103 Microsoft Azure Administrator

This is a training course for the Microsoft Azure AZ-103 Certification. The Microsoft Azure Administrator training course teaches students to perform tasks like managing Azure subscriptions and resources, implementing and managing storage, deploying and managing virtual machines (VM) and networks, and managing identities!

Instructed By