Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this lesson on Network Security group.
00:05
This lesson is part of the top Madu off the desert 500. Microsoft Azure security technologist costs
00:12
for simplicity. Happy referring to the aggravation energy going forward.
00:19
Now, I've got to tell you something. I'm really excited about this lesson on the rest off the lessons in this model.
00:25
And I'll tell you why
00:27
Everything that we've discussed and demonstrated about virtual network in so far was just laying the groundwork
00:34
from this lesson on World War actually starts this cost in network security technologies in hija. So I'm excited about that
00:43
quick information on what will be covering in this lesson.
00:47
We'll start out by looking at some NSG car concepts. Wouldn't look at energy rules on out there. Applied
00:54
on will be discussing the concept off poverty numbers and effective rules.
00:59
What? I will conclude with a demonstration off creating energy on associating hits. Let's get into this.
01:06
So, first of all, what is NSC?
01:10
It is a step for packet future that we can use to fuel the network traffic to and from as your resources in an azure virtual network.
01:19
Now, not is that I did not say fire. Well, not is the wording that I used year packet future.
01:26
This is because the amnesty does not do any deep packet inspection like a next generation firewood. Does Ali does. Is future packets what we configure in a Hennessy?
01:38
What we can figure out in the Hennessy of lose the content as security rules that allow or deny inbound or outbound network traffic.
01:47
Now, for each rule, we can specify sauce and destination, high p
01:52
source and destination parts and protocol. And finally, where do we associate or assign NSC? We can associate eat with a submit in an azure virtual network, or even directly to a VM network interface.
02:07
We mentioned earlier that energy contains security rules. Now it's rule in a Hannah she as a prophet in number,
02:15
and the importance of that is that the term is the order off evaluation. The way it works is that a lower positive would be evaluated fast. So, for example, if I have a deny vel with the poverty number off 2000
02:31
on an allowable for the same traffic, with the power of its A number off 3000 the traffic will be denied as the Route 2000 will be evaluated first.
02:43
When we create energy, it comes with setting default rules that we cannot delete on modify them.
02:50
However, we can override those rules by specifying ever with lower part number. So, for example, where you're looking at on the screen decided the fault rules on the usually vein from 65,000 to 65,500. We cannot change or modify does, however, we can place other rules above them.
03:10
We're looking at our Voser evaluated. It is important to recognize the order that applies, especially if we have rules, but at the network interface level. And that's the sub net level
03:23
for outbound traffic as your processes the Jews in the NSC associated to the network interface fast
03:32
and then the rules associated to the sub net afterwards
03:38
for inbound traffic as your processes, divorce in Energy Associate is to the sub net fast
03:45
and then to lose in the energy associated to the network interface after
03:51
if wherever gets to a point where we're confused as to what rules are applied,
03:55
there was a nice option in Azure that we can find under the networking aspect of a virtual machine called effective security rules. So you can see that in the diagram on the lower side of the screen
04:06
and using the effective rules, we can verify which rules are applied toe a network interface.
04:15
So now to the demonstration.
04:16
Yeah, the task that I'll be completing first our create energy.
04:23
How then had on inbound vote to block our DP to the NSG
04:28
Our touch the NSG to the network interface off my veteran machine.
04:32
Verify that devil confit got in the energy applies So in the first task I'll create a new energy so he has a visual representation of what are between.
04:43
I currently have the settle, but you're seeing on your screen on our create a new energy resource.
04:49
I'm back in the other Pato. If I go, I'd and click on Create a resource on I type network Security
04:57
on. I can see Network security group PSR click on that option and I'll click on Create.
05:03
Now put this in the same results group, which is the network iPhone. How g
05:08
I'll give it a name off win VM. I've been an A she
05:14
and I'll leave that in UK self. It needs to be in the same location as the resource that we applying. It's too,
05:19
are. Why don't leak review and creates
05:23
on our click on create. That should only take a few seconds and I shall have my network security group created.
05:30
So here we go. The NSC is fully created. So what our fast is, I'll go to review that so we can look at the photos that we talked about.
05:38
If I go to the inbound security rules, you can see the rules with poverty numbers 65,000 to 6 5500
05:45
and you can see that anything is allowed with the individual network on anything from the original load. Balancer is allowed inbound.
05:53
Nothing is allowed from the Internet inbound by default. If I click on our bond security rules, you can see that anything is allowed within the veteran network and anything is allowed out of bound to the Internet. So maybe that's something we want to modify to prevent the dye expatriation
06:10
in the next task. How beheading on in Badru to block our DP to the NSG Yes, official representation off what are between
06:18
so back in the azure Pato If I go, I'd and click inbound ruse.
06:24
Now click on the hard toe. Had a new inbound room. Now for the sauce out. Select a service stock so it's service tag is the least off I p addresses that managed by Microsoft's of Aladin. Always having to manage our own list so you can see that is a list for different services are just quiet and select Internet
06:43
Now for the sunspot are lived at a star
06:45
for the destination. I'll go ahead and leave that as any
06:48
and for the destination part unspecified port territory. It's nine, which is the port for? How. Dp for the protocol House Press. If itis IPI, which is the protocol for our DP and for the action I'll sets, that's a denying,
07:02
and I'll give that into a party to off 100
07:06
and for the name I'll say block
07:10
on this car out DP
07:12
and our great and click on Heart.
07:14
Now that's successfully added to devote so we can move on to the next task.
07:17
So in the next task will be assigning the NSG that I just created to the network interface off my windows VM
07:26
on. There's a visual presentation off. What are between I have dish will already created in the energy and assign it to the network interface. So I'm back right in the azure Pato.
07:39
So what I can do is I Can Iraq click on network interfaces are sub next to associate the network security group here.
07:46
What? Audrey's I'll go to my virtual machine
07:48
also like my Windows virtual machine, and I'll go on the next working
07:53
now under networking. I have my network interface are click on Network Interface and I have Network Security Grill,
08:00
our political network security group, and I'll click on Edit.
08:03
I'll click on the option to specify Network Security Group, and I can see the security Gruebel I created earlier here. So I'll select that
08:11
and I'll click on safe.
08:13
So now that successfully associate ID the natural Security group with my network interface.
08:20
So in the next task have very fine that my energy is working as expected by attempting to connect to my windows VM using how deep E. On s official representation off what I'll be doing
08:33
from the Internet. Our attempts to connect use in our DP to the public i p of my VM Now, if remember, from the last listen, this worked successfully, but with nearly a plight energy, I expect the communication to be blocked by the NSC, so that's what I expect to happen. So let's go ahead and verify that.
08:54
So back in the agile Pato are violently convention machines. I'll select my Windows virtual machine.
09:01
Our copy the I P address off my Windows virtual machine, and I'll go open the mud sticks. Top clients.
09:09
How did remote desktop client here on defy quiet and paste the high P address in effect, click on Connect
09:18
and then we go.
09:18
He has some supplemental links for further studies on the topics covered in this lesson. He has a summary of what we covered,
09:26
who started out by looking at some NSC core concepts.
09:30
But then this cost energy rules and how they are applied, especially the concept around profits in numbers on the scope off the sub net, a network interface
09:39
and finally, I demonstrators, the Creation and Association off NSC TV EMS Network interface.
09:48
This brings me to the end of this video tense very much for watching, and I'll see you in the next lesson

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor