Darryl Mitchell


Lead Engineer @ NeoCloud working in cloud-based messaging and datacenter design/implementation

darrmit.me Guestbook

Working with Azure Network Security groups

By default when you deploy an Azure VM a Network Security Group (NSG) is created with a set of default rules that allow vNet and Internet traffic and allow RDP from any source. This is fine for throwaway VMs and immediate access for you to get things setup, but it's not ideal for long-term production use.

In most of my customer use cases we're using Azure as a hybrid datacenter solution, so site-to-site connectivity is established. This makes it easy to narrow allowed traffic down to a specific subnet.

You can use PowerShell to quickly create a rule tp do this. To get a list of the NSGs in your subscription you can run this command:

Get-AzureRmNetworkSecurityGroup | select Name, ResourceGroupName

Once you have the desired NSG name and resource group you can store it in a variable:

$nsgName = Get-AzureRmNetworkSecurityGroup -Name "test-nsg" -ResourceGroupName "test-rg"

Now that you have the NSG stored in a variable, you can take a look at what rules are in effect for that NSG:

$nsgName |  select -Expand DefaultSecurityRules

One unique thing about NSGs is, from a PowerShell perspective, they function sort of like a firewall/router where you "Add/Remove" rules and then commit the new ruleset using a "Set" command.

In the next command, we're specifying the NSG variable and then adding a new rule with a priority of 100 (which is the lowest priority in this case) that allows all traffic on any port from our on-premise subnet:

$nsgName | Add-AzureRmNetworkSecurityRuleConfig `
-Name "LocalNetwork-AllowAll" `
-Description "Allows all traffic from local subnets" `
-Access Allow `
-Protocol * `
-Direction Inbound `
-Priority 100 `
-SourceAddressPrefix "" `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange *

Now we commit that rule addition to the NSG:

$nsgName | Set-AzureRmNetworkSecurityGroup

If you don't have a Site-to-Site tunnel, you could replace the SourceAddressPrefix with whatever IP your traffic originates from publicly (i.e. when you go to ipchicken.com).

Note that this is an "allow all" rule. It is literally allowing all traffic from that subnet into the Azure VM. Don't do this with SourceAddressPrefix "" unless you want a compromised VM.

Let's say you did want to allow ICMP traffic publicly, but you want to also disallow all other TCP/UDP traffic. You could do that by creating explicit "deny" rules for both TCP and UDP with a lower priority than an "any" rule that allows any traffic (which would include ICMP). Example:

100 Block TCP

101 Block UDP

102 Allow Any

You'll only receive email when Darryl Mitchell publishes a new post

More from Darryl Mitchell: