Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Associating Azure Network Security Groups

In this post, I will explain how the two options for associating a network security group (NSG) work, virtual machine NIC or subnet, and I’ll recommend a method to use.

 

 

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Associate with a NIC

The first way to associate an NSG is to associate with a NIC; this is the method used when you next-next-next your way through creating a virtual machine in the Azure Portal. My choice of words might hint at my attitude to that but more on this later.

When you associate an NSG with a virtual machine’s NIC, the inbound and outbound rules allow or deny packets as the hit the NIC.

How filtering works with a NIC-associated NSG [Image Credit: Aidan Finn]
How Filtering Works with a NIC-Associated NSG [Image Credit: Aidan Finn]
 

Any inbound rule is applied after traffic leaves the subnet and attempts entry to the virtual machine via the NIC. A deny rule will drop the packet at this point and an allow rule will allow the packet in to be further inspected by any firewall in the guest OS, such as the Windows Firewall.

Associating an NSG with a NIC is very powerful and granular but in no time at all, this approach will become a nightmare to manage. One could have one NSG for lots of virtual machines but that will quickly become unworkable as rules become specialized and difficult to troubleshoot. In reality, this approach is OK for very small deployments that will remain very small, for example, a single virtual machine.

Associate with a Subnet

The second way to deploy an NSG in Azure is to associate it with a subnet of a virtual network. This is a deployment that you must do yourself and not featured in any default next-next-next process.

When you associate an NSG with a subnet, the inbound and outbound rules are applied to allow or deny packets when they enter the subnet. Inbound rules filter traffic as they enter the subnet. Outbound rules are applied the same way.

How filtering works with a subnet-associated NSG [Image Credit: Aidan Finn]
How Filtering Works with a Subnet-Associated NSG [Image Credit: Aidan Finn]
 

Once you have more than a few or even just one virtual machine, this is the preferred way to secure a virtual network at Layer-4 (TCP or UDP). If you apply good virtual network design practices, treating each subnet as a security boundary and placing similar machines in the same subnet, then this approach scales out. If you have a more complex subnet, such as those you might lift-and-shift migrate from on-premises, then you can use application security groups to identify roles within a subnet and apply rules to those roles.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: