Network Security Groups on Azure
Network Security Groups to perform segmentation in a virtual network (VNet). The feature also lets you control who enter and leaves a virtual machine connected to the VNet. This feature also allows the production of scenarios DMZ (demilitarized Zone).
It is common to have in a local network of the front-end servers (iis,…) positioned in DMZ and the database or other servers in the local network. This allows for example to secure the data of an application giving access only to a web server… Usually this server contains no data.
Several aspects are to be considered when establishing a Network Security Groups
- A rule contains a couple of 5 parameters (address IP Source and destination, Port source and destination, Protocol).
- The configured rules are said to be stateful. The rule allows traffic on a port (443, 80). However, it is not necessary to configure an outbound rule for the same port.
- The Network Security Groups contain a default rule that allows a connection with the virtual network and outgoing (Internet).Rules users have priority over this default rules.
- Each rule has a priority in the form of a digital value. The rule with a small value will be the highest priority.
Implementation of Network Security Groups
In the console Azure, click on other services then network security groups.
Click the Add button and enter the name you want. Selected the existing resource group and then click Create.
The group resource is successfully created.
Any click on enter service to allow. Click on OK to validate the configuration.
Click Add, and then enter in name Default Rules. Type 4096 in the priority field. Enter * in Port Range and then click refuse in Action.
The rules are now created correctly.
Repeat the same operation for creating a rule to allow port 3389 (RDP).
The rules has been created.
In the properties of the security group, click subnet and click Associate.
Select the virtual network and subnet.