Thursday, 11 July 2024

Filter network traffic with a network security group using the Azure portal

 

Filter network traffic with a network security group using the Azure portal

You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network.

Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.

Diagram of resources created during tutorial.

In this tutorial, you learn how to:

  • Create a network security group and security rules
  • Create application security groups
  • Create a virtual network and associate a network security group to a subnet
  • Deploy virtual machines and associate their network interfaces to the application security groups

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network

The following procedure creates a virtual network with a resource subnet.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    SettingValue
    Project details
    SubscriptionSelect your subscription.
    Resource groupSelect Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    NameEnter vnet-1.
    RegionSelect East US 2.

    Screenshot of Basics tab of Create virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. Select Next to proceed to the IP Addresses tab.

  6. In the address space box in Subnets, select the default subnet.

  7. In Edit subnet, enter or select the following information:

    SettingValue
    Subnet details
    Subnet templateLeave the default Default.
    NameEnter subnet-1.
    Starting addressLeave the default of 10.0.0.0.
    Subnet sizeLeave the default of /24(256 addresses).

    Screenshot of default subnet rename and configuration.

  8. Select Save.

  9. Select Review + create at the bottom of the screen, and when validation passes, select Create.

Create application security groups

An application security group (ASGs) enables you to group together servers with similar functions, such as web servers.

  1. In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results.

  2. Select + Create.

  3. On the Basics tab of Create an application security group, enter or select this information:

    SettingValue
    Project details
    SubscriptionSelect your subscription.
    Resource groupSelect test-rg.
    Instance details
    NameEnter asg-web.
    RegionSelect East US 2.
  4. Select Review + create.

  5. Select + Create.

  6. Repeat the previous steps, specifying the following values:

    SettingValue
    Project details
    SubscriptionSelect your subscription.
    Resource groupSelect test-rg.
    Instance details
    NameEnter asg-mgmt.
    RegionSelect East US 2.
  7. Select Review + create.

  8. Select Create.

Create a network security group

network security group (NSG) secures network traffic in your virtual network.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

     Note

    In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups.

  2. Select + Create.

  3. On the Basics tab of Create network security group, enter or select this information:

    SettingValue
    Project details
    SubscriptionSelect your subscription.
    Resource groupSelect test-rg.
    Instance details
    NameEnter nsg-1.
    LocationSelect East US 2.
  4. Select Review + create.

  5. Select Create.

Associate network security group to subnet

In this section, you associate the network security group with the subnet of the virtual network you created earlier.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

  2. Select nsg-1.

  3. Select Subnets from the Settings section of nsg-1.

  4. In the Subnets page, select + Associate:

    Screenshot of Associate a network security group to a subnet.

  5. Under Associate subnet, select vnet-1 (test-rg) for Virtual network.

  6. Select subnet-1 for Subnet, and then select OK.

Create security rules

  1. Select Inbound security rules from the Settings section of nsg-1.

  2. In Inbound security rules page, select + Add.

  3. Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select the following information:

    SettingValue
    SourceLeave the default of Any.
    Source port rangesLeave the default of (*).
    DestinationSelect Application security group.
    Destination application security groupsSelect asg-web.
    ServiceLeave the default of Custom.
    Destination port rangesEnter 80,443.
    ProtocolSelect TCP.
    ActionLeave the default of Allow.
    PriorityLeave the default of 100.
    NameEnter allow-web-all.
  4. Select Add.

  5. Complete the previous steps with the following information:

    SettingValue
    SourceLeave the default of Any.
    Source port rangesLeave the default of (*).
    DestinationSelect Application security group.
    Destination application security groupSelect asg-mgmt.
    ServiceSelect RDP.
    ActionLeave the default of Allow.
    PriorityLeave the default of 110.
    NameEnter allow-rdp-all.
  6. Select Add.

     Caution

    In this article, RDP (port 3389) is exposed to the internet for the VM that is assigned to the asg-mgmt application security group.

    For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN, private network connection, or Azure Bastion.

    For more information on Azure Bastion, see What is Azure Bastion?.

Create virtual machines

Create two virtual machines (VMs) in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. In Create a virtual machine, enter or select this information in the Basics tab:

    SettingValue
    Project details
    SubscriptionSelect your subscription.
    Resource groupSelect test-rg.
    Instance details
    Virtual machine nameEnter vm-1.
    RegionSelect (US) East US 2.
    Availability optionsLeave the default of No infrastructure redundancy required.
    Security typeSelect Standard.
    ImageSelect Windows Server 2022 Datacenter - x64 Gen2.
    Azure Spot instanceLeave the default of unchecked.
    SizeSelect a size.
    Administrator account
    UsernameEnter a username.
    PasswordEnter a password.
    Confirm passwordReenter password.
    Inbound port rules
    Select inbound portsSelect None.
  4. Select Next: Disks then Next: Networking.

  5. In the Networking tab, enter or select the following information:

    SettingValue
    Network interface
    Virtual networkSelect vnet-1.
    SubnetSelect subnet-1 (10.0.0.0/24).
    Public IPLeave the default of a new public IP.
    NIC network security groupSelect None.
  6. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  7. Select Create. The VM may take a few minutes to deploy.

  8. Repeat the previous steps to create a second virtual machine named vm-2.

Associate network interfaces to an ASG

When you created the VMs, Azure created a network interface for each VM, and attached it to the VM.

Add the network interface of each VM to one of the application security groups you created previously:

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results, then select vm-1.

  2. Select Application security groups from the Networking section of vm-1.

  3. Select Add application security groups, then in the Add application security groups tab, select asg-web. Finally, select Add.

    Screenshot of Configure application security groups.

  4. Repeat the previous steps for vm-2, selecting asg-mgmt in the Add application security groups tab.

Test traffic filters

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-2.

  3. On the Overview page, select the Connect button and then select Native RDP.

  4. Select Download RDP file.

  5. Open the downloaded rdp file and select Connect. Enter the username and password you specified when creating the VM.

  6. Select OK.

  7. You may receive a certificate warning during the connection process. If you receive the warning, select Yes or Continue, to continue with the connection.

    The connection succeeds, because inbound traffic from the internet to the asg-mgmt application security group is allowed through port 3389.

    The network interface for vm-2 is associated with the asg-mgmt application security group and allows the connection.

  8. Open a PowerShell session on vm-2. Connect to vm-1 using the following:

    PowerShell
    mstsc /v:vm-1
    

    The RDP connection from vm-2 to vm-1 succeeds because virtual machines in the same network can communicate with each other over any port by default.

    You can't create an RDP connection to the vm-1 virtual machine from the internet. The security rule for the asg-web prevents connections to port 3389 inbound from the internet. Inbound traffic from the Internet is denied to all resources by default.

  9. To install Microsoft IIS on the vm-1 virtual machine, enter the following command from a PowerShell session on the vm-1 virtual machine:

    PowerShell
    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    
  10. After the IIS installation is complete, disconnect from the vm-1 virtual machine, which leaves you in the vm-2 virtual machine remote desktop connection.

  11. Disconnect from the vm-2 VM.

  12. Search for vm-1 in the portal search box.

  13. On the Overview page of vm-1, note the Public IP address for your VM. The address shown in the following example is 20.230.55.178, your address is different:

    Screenshot of Public IP address of a virtual machine in the Overview page.

  14. To confirm that you can access the vm-1 web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>.

Create Web Application Firewall policies for Application Gateway

 

Create Web Application Firewall policies for Application Gateway

Associating a WAF policy with listeners allows for multiple sites behind a single WAF to be protected by different policies. For example, if there are five sites behind your WAF, you can have five separate WAF policies (one for each listener) to customize the exclusions, custom rules, and managed rulesets for one site without effecting the other four. If you want a single policy to apply to all sites, you can just associate the policy with the Application Gateway, rather than the individual listeners, to make it apply globally. Policies can also be applied to a path-based routing rule.

You can make as many policies as you want. Once you create a policy, it must be associated to an Application Gateway to go into effect, but it can be associated with any combination of Application Gateways and listeners.

If your Application Gateway has an associated policy, and then you associate a different policy to a listener on that Application Gateway, the listener's policy takes effect, but just for the listener(s) that they're assigned to. The Application Gateway policy still applies to all other listeners that don't have a specific policy assigned to them.

All new Web Application Firewall's WAF settings (custom rules, managed ruleset configurations, exclusions, etc.) live inside of a WAF Policy. If you have an existing WAF, these settings may still exist in your WAF config. For steps on how to move to the new WAF Policy, see Upgrade your WAF Config to a WAF Policy later in this article.

WAF policies need to be in the enabled state to inspect request traffic, log events and take action on requests. WAF policies in detection mode will log events when WAF rules are triggered but won't take any other action. Policies in prevention mode will take action on requests as well as log the event in the logs.

Create a policy

First, create a basic WAF policy with a managed Default Rule Set (DRS) using the Azure portal.

  1. On the upper left side of the portal, select Create a resource. Search for WAF, select Web Application Firewall, then select Create.

  2. On Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

    SettingValue
    Policy forRegional WAF (Application Gateway)
    SubscriptionSelect your subscription name
    Resource groupSelect your resource group
    Policy nameType a unique name for your WAF policy.
  3. On the Association tab, select Add association, then select one of the following settings:

    SettingValue
    Application GatewaySelect the application gateway, and then select Add.
    HTTP ListenerSelect the application gateway, select the listeners, then select Add.
    Route PathSelect the application gateway, select the listener, select the routing rule, and then select Add.

     Note

    If you assign a policy to your Application Gateway (or listener) that already has a policy in place, the original policy is overwritten and replaced by the new policy.

  4. Select Review + create, then select Create.

    WAF policy basics

Configure WAF rules (optional)

When you create a WAF policy, by default it is in Detection mode. In Detection mode, WAF doesn't block any requests. Instead, the matching WAF rules are logged in the WAF logs. To see WAF in action, you can change the mode settings to Prevention. In Prevention mode, matching rules defined in the Microsoft Managed Rulesets you selected are blocked and/or logged in the WAF logs.

Managed rules

Azure-managed OWASP rules are enabled by default. To disable an individual rule within a rule group, expand the rules within that rule group, select the check box in front of the rule number, and select Disable on the tab above.

Managed rules

Custom rules

To create a custom rule, select Add custom rule under the Custom rules tab. This opens the custom rule configuration page. The following screenshot shows an example custom rule configured to block a request if the query string contains the text blockme.

Edit custom rule

Upgrade your WAF Config to a WAF Policy

If you have an existing WAF, you may have noticed some changes in the portal. First you need to identify what kind of Policy you've enabled on your WAF. There are three potential states:

  1. No WAF Policy
  2. Custom Rules only Policy
  3. WAF Policy

You can tell which state your WAF is in by looking at it in the portal. If the WAF settings are visible and can be changed from within the Application Gateway view, your WAF is in state 1.

WAF configuration

If you select Web Application Firewall and it shows you an associated policy, the WAF is in state 2 or state 3. After navigating to the policy, if it shows only custom rules, and Associated Application Gateways, then it's a Custom Rules only Policy.

WAF custom rules

If it also shows Policy Settings and Managed Rules, then it's a full Web Application Firewall policy.

WAF policy settings