Filter network traffic with a network security group using the Azure portal

You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network.

Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.

In this tutorial, you learn how to:

• Create a network security group and security rules
• Create application security groups
• Create a virtual network and associate a network security group to a subnet
• Deploy virtual machines and associate their network interfaces to the application security groups

Prerequisites

• An Azure account with an active subscription. You can create an account for free.

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network

The following procedure creates a virtual network with a resource subnet.

1. In the portal, search for and select Virtual networks.

2. On the Virtual networks page, select + Create.

3. On the Basics tab of Create virtual network, enter or select the following information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select Create new. Enter test-rg in Name. Select OK.
   Instance details
   Name	Enter vnet-1.
   Region	Select East US 2.

   

4. Select Next to proceed to the Security tab.

5. Select Next to proceed to the IP Addresses tab.

6. In the address space box in Subnets, select the default subnet.

7. In Edit subnet, enter or select the following information:

   Setting	Value
   Subnet details
   Subnet template	Leave the default Default.
   Name	Enter subnet-1.
   Starting address	Leave the default of 10.0.0.0.
   Subnet size	Leave the default of /24(256 addresses).

   

8. Select Save.

9. Select Review + create at the bottom of the screen, and when validation passes, select Create.

Create application security groups

An application security group (ASGs) enables you to group together servers with similar functions, such as web servers.

1. In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results.

2. Select + Create.

3. On the Basics tab of Create an application security group, enter or select this information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Name	Enter asg-web.
   Region	Select East US 2.

4. Select Review + create.

5. Select + Create.

6. Repeat the previous steps, specifying the following values:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Name	Enter asg-mgmt.
   Region	Select East US 2.

7. Select Review + create.

8. Select Create.

Create a network security group

A network security group (NSG) secures network traffic in your virtual network.

1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

    Note

   In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups.

2. Select + Create.

3. On the Basics tab of Create network security group, enter or select this information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Name	Enter nsg-1.
   Location	Select East US 2.

4. Select Review + create.

5. Select Create.

Associate network security group to subnet

In this section, you associate the network security group with the subnet of the virtual network you created earlier.

1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

2. Select nsg-1.

3. Select Subnets from the Settings section of nsg-1.

4. In the Subnets page, select + Associate:

   

5. Under Associate subnet, select vnet-1 (test-rg) for Virtual network.

6. Select subnet-1 for Subnet, and then select OK.

Create security rules

1. Select Inbound security rules from the Settings section of nsg-1.

2. In Inbound security rules page, select + Add.

3. Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select the following information:

   Setting	Value
   Source	Leave the default of Any.
   Source port ranges	Leave the default of (*).
   Destination	Select Application security group.
   Destination application security groups	Select asg-web.
   Service	Leave the default of Custom.
   Destination port ranges	Enter 80,443.
   Protocol	Select TCP.
   Action	Leave the default of Allow.
   Priority	Leave the default of 100.
   Name	Enter allow-web-all.

4. Select Add.

5. Complete the previous steps with the following information:

   Setting	Value
   Source	Leave the default of Any.
   Source port ranges	Leave the default of (*).
   Destination	Select Application security group.
   Destination application security group	Select asg-mgmt.
   Service	Select RDP.
   Action	Leave the default of Allow.
   Priority	Leave the default of 110.
   Name	Enter allow-rdp-all.

6. Select Add.

    Caution

   In this article, RDP (port 3389) is exposed to the internet for the VM that is assigned to the asg-mgmt application security group.

   For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN, private network connection, or Azure Bastion.

   For more information on Azure Bastion, see What is Azure Bastion?.

Create virtual machines

Create two virtual machines (VMs) in the virtual network.

1. In the portal, search for and select Virtual machines.

2. In Virtual machines, select + Create, then Azure virtual machine.

3. In Create a virtual machine, enter or select this information in the Basics tab:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-1.
   Region	Select (US) East US 2.
   Availability options	Leave the default of No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Windows Server 2022 Datacenter - x64 Gen2.
   Azure Spot instance	Leave the default of unchecked.
   Size	Select a size.
   Administrator account
   Username	Enter a username.
   Password	Enter a password.
   Confirm password	Reenter password.
   Inbound port rules
   Select inbound ports	Select None.

4. Select Next: Disks then Next: Networking.

5. In the Networking tab, enter or select the following information:

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-1 (10.0.0.0/24).
   Public IP	Leave the default of a new public IP.
   NIC network security group	Select None.

6. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

7. Select Create. The VM may take a few minutes to deploy.

8. Repeat the previous steps to create a second virtual machine named vm-2.

Associate network interfaces to an ASG

When you created the VMs, Azure created a network interface for each VM, and attached it to the VM.

Add the network interface of each VM to one of the application security groups you created previously:

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results, then select vm-1.

2. Select Application security groups from the Networking section of vm-1.

3. Select Add application security groups, then in the Add application security groups tab, select asg-web. Finally, select Add.

   

4. Repeat the previous steps for vm-2, selecting asg-mgmt in the Add application security groups tab.

Test traffic filters

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. Select vm-2.

3. On the Overview page, select the Connect button and then select Native RDP.

4. Select Download RDP file.

5. Open the downloaded rdp file and select Connect. Enter the username and password you specified when creating the VM.

6. Select OK.

7. You may receive a certificate warning during the connection process. If you receive the warning, select Yes or Continue, to continue with the connection.

   The connection succeeds, because inbound traffic from the internet to the asg-mgmt application security group is allowed through port 3389.

   The network interface for vm-2 is associated with the asg-mgmt application security group and allows the connection.

8. Open a PowerShell session on vm-2. Connect to vm-1 using the following:

   PowerShell

   mstsc /v:vm-1
   

   The RDP connection from vm-2 to vm-1 succeeds because virtual machines in the same network can communicate with each other over any port by default.

   You can't create an RDP connection to the vm-1 virtual machine from the internet. The security rule for the asg-web prevents connections to port 3389 inbound from the internet. Inbound traffic from the Internet is denied to all resources by default.

9. To install Microsoft IIS on the vm-1 virtual machine, enter the following command from a PowerShell session on the vm-1 virtual machine:

   PowerShell

   Install-WindowsFeature -name Web-Server -IncludeManagementTools
   

10. After the IIS installation is complete, disconnect from the vm-1 virtual machine, which leaves you in the vm-2 virtual machine remote desktop connection.

11. Disconnect from the vm-2 VM.

12. Search for vm-1 in the portal search box.

13. On the Overview page of vm-1, note the Public IP address for your VM. The address shown in the following example is 20.230.55.178, your address is different:

    

14. To confirm that you can access the vm-1 web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>.

 

Create Web Application Firewall policies for Application Gateway

Associating a WAF policy with listeners allows for multiple sites behind a single WAF to be protected by different policies. For example, if there are five sites behind your WAF, you can have five separate WAF policies (one for each listener) to customize the exclusions, custom rules, and managed rulesets for one site without effecting the other four. If you want a single policy to apply to all sites, you can just associate the policy with the Application Gateway, rather than the individual listeners, to make it apply globally. Policies can also be applied to a path-based routing rule.

You can make as many policies as you want. Once you create a policy, it must be associated to an Application Gateway to go into effect, but it can be associated with any combination of Application Gateways and listeners.

If your Application Gateway has an associated policy, and then you associate a different policy to a listener on that Application Gateway, the listener's policy takes effect, but just for the listener(s) that they're assigned to. The Application Gateway policy still applies to all other listeners that don't have a specific policy assigned to them.

All new Web Application Firewall's WAF settings (custom rules, managed ruleset configurations, exclusions, etc.) live inside of a WAF Policy. If you have an existing WAF, these settings may still exist in your WAF config. For steps on how to move to the new WAF Policy, see Upgrade your WAF Config to a WAF Policy later in this article.

WAF policies need to be in the enabled state to inspect request traffic, log events and take action on requests. WAF policies in detection mode will log events when WAF rules are triggered but won't take any other action. Policies in prevention mode will take action on requests as well as log the event in the logs.

Create a policy

First, create a basic WAF policy with a managed Default Rule Set (DRS) using the Azure portal.

1. On the upper left side of the portal, select Create a resource. Search for WAF, select Web Application Firewall, then select Create.

2. On Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

   Setting	Value
   Policy for	Regional WAF (Application Gateway)
   Subscription	Select your subscription name
   Resource group	Select your resource group
   Policy name	Type a unique name for your WAF policy.

3. On the Association tab, select Add association, then select one of the following settings:

   Setting	Value
   Application Gateway	Select the application gateway, and then select Add.
   HTTP Listener	Select the application gateway, select the listeners, then select Add.
   Route Path	Select the application gateway, select the listener, select the routing rule, and then select Add.

    Note

   If you assign a policy to your Application Gateway (or listener) that already has a policy in place, the original policy is overwritten and replaced by the new policy.

4. Select Review + create, then select Create.

   

Configure WAF rules (optional)

When you create a WAF policy, by default it is in Detection mode. In Detection mode, WAF doesn't block any requests. Instead, the matching WAF rules are logged in the WAF logs. To see WAF in action, you can change the mode settings to Prevention. In Prevention mode, matching rules defined in the Microsoft Managed Rulesets you selected are blocked and/or logged in the WAF logs.

Managed rules

Azure-managed OWASP rules are enabled by default. To disable an individual rule within a rule group, expand the rules within that rule group, select the check box in front of the rule number, and select Disable on the tab above.

Custom rules

To create a custom rule, select Add custom rule under the Custom rules tab. This opens the custom rule configuration page. The following screenshot shows an example custom rule configured to block a request if the query string contains the text blockme.

Upgrade your WAF Config to a WAF Policy

If you have an existing WAF, you may have noticed some changes in the portal. First you need to identify what kind of Policy you've enabled on your WAF. There are three potential states:

1. No WAF Policy
2. Custom Rules only Policy
3. WAF Policy

You can tell which state your WAF is in by looking at it in the portal. If the WAF settings are visible and can be changed from within the Application Gateway view, your WAF is in state 1.

If you select Web Application Firewall and it shows you an associated policy, the WAF is in state 2 or state 3. After navigating to the policy, if it shows only custom rules, and Associated Application Gateways, then it's a Custom Rules only Policy.

If it also shows Policy Settings and Managed Rules, then it's a full Web Application Firewall policy.