Microsoft Azure: Network Security Groups (NSG) Presented By: Shawn Ismail
Microsoft Azure:Network Security Groups (NSG)Presented By: Shawn Ismail
SHAWNISMAIL
My twitter is @shawnismail, my blog is at http://cloudranger.net and I work at
ARCHITECT | CONSULTANT | GENEROUS
WHAT WE WILL TALK ABOUT TODAY…
1.Overview of Azure security2.Azure Network Security Groups (NSG)
3.Demo of NSGs in action
Cloud adaptability is strongly tied to Cloud Security
IN CLOUD WHERE WE ARE TODAY?• I T i s p l a y i n g a niiiiiiiiiiii iiiiiiiii iiii ii iiiiiii iiiiiiii iiiiiiii iiiii iii iiiiiiiii ii iiiii
• iiiii iiii iiii hesitate t o f u l l y e m b r a c eiiiiiiiiiii iiiiiiii
• iiii -iiiiiiii iiiiiiiii iiiiiiiii 2014i2015-
Cloud adaptability is strongly tied to Cloud Security
WHAT CUSTOMERS WANT FROM CLOUD PROVIDERS• iiiiii iii iiii
• iiii iii iiii iiiiiii
• iiii ii iiiiiii
• iiiiiii iiiiiiiiiiii
• iiiiiiii iiiiiiiiii
MICROSOFT CLOUD INFRASTRUCTURE SUPPORTS 1 BILLION CUSTOMERS, 140 COUNTRIES, 10 LANGUAGES AND 24 CURRENCIES
The logical isolations; Software Defined Networking (SDN) takes a lead
AZURE NETWORK PROTECTION
• iiiiiii iiiiiiiii
• iiiiiii iiiiiiii
• iii iii iiiiiii iiiii
IF YOU’RE RESISTING THE CLOUD BECAUSE OF SECURITY CONCERNS, YOU’RE RUNNING OUT OF EXCUSES
A representation of your own network in the cloud
AZURE VIRTUAL NETWORKS (VNET)
Virtual Network(MyVNET1)
WFE1 DC1
SQL1
SUBSCRIPTIONVNET
SUBNET
SUBNET
VNETVNET
A representation of your own network in the cloud
AZURE VIRTUAL NETWORKS (VNET)
Virtual Network(MyVNET1)
WFE1 DC1
SQL1
Virtual Network(MyVNET2)
WFE2 DC2
SQL2
A representation of your own network in the cloud
AZURE VIRTUAL NETWORKS (VNET)
Virtual Network(MyVNET1)
WFE1 DC1
SQL1
Address Space: 10.1.0.0/16
MySubnet1: 10.1.0.0/24(10.1.0.0 - 10.1.0.255)
10.1.0.5 10.1.0.6
10.1.0.7
A representation of your own network in the cloud
AZURE VIRTUAL NETWORKS (VNET)
Virtual Network(MyVNET1)
WFE1 DC1
SQL1
Address Space: 10.1.0.0/16
MySubnet1: 10.1.0.0/24(10.1.0.0 - 10.1.0.255)
10.1.0.5 10.1.0.6
10.1.0.7
Virtual Network(MyVNET2)
WFE2 DC2
SQL2
Address Space: 10.2.0.0/16
MySubnet2: 10.2.0.0/24(10.2.0.0 - 10.2.0.255)
10.2.0.5 10.2.0.6
10.2.0.7
Multiple subnets in a VNet
AZURE VIRTUAL NETWORKS (VNET)
Virtual Network(MyVNET1)
WFE1 DC1
SQL1
Address Space: 10.1.0.0/16
MySubnet1: 10.1.1.0/24(10.1.1.0 - 10.1.1.255)10.1.1.5 10.1.1.6
10.1.1.7
FS1 EX1
MySubnet2: 10.1.2.0/24(10.1.2.0 - 10.1.2.255)
10.1.2.5 10.1.2.6
Azure Network Security Groups
WHAT ARE AZURE NSGS? NSGs are used to control inbound and outbound
ii iiiiiiii iii iii iiiiiii iiiiiiiiii , iii iii iiiiiiii iiiii(). !
iiii iii iiiiiiii iii ii iiii iiiii
iiii iiii iiiiiiiiii ii i iiiiiii ii iiiiiiii ii iiiiii
iiiiiiii iii iiiiii ii iiii rule is based o n s o u r c e I P a d d r e s s , iiiii iiiiiiiiiii ii , iii iiiiiiiiiii iiii,
iiiii iiii iiiiiiiiii
iiiii iii iiii iiiiiii iiiii ii iiii iii iiii iiii iii iiiiiii
Azure Network Security Groups Construct
NSG CONSTRUCTiiiii iii iii iiiiiiiiiiiiiiiiiiiiii iiiii iiii
iiiiii iii ii iiiiiiiiiii New-AzureNetworkSecurityGroup -Name “MySQL-NSG" -Location "East US 2" -ResourceGroupName “MyRGEast2"
Azure Network Security Groups Rule Construct
NSG RULE CONSTRUCTi iiii iiiiiiiii iii iiiiiiiiiiiiiii i iiiiii iiiiiiiiii iii iii iiiiiiiiiiiiii iiiiiiiiiiiiiiii
P r i o r i t y : : /iiiiii ii iiiiiiii iiii ii iiiiii ii ii ii iiiiiiiiiii iiii iiiiii iiiiiiiiiii ii iiiiii iiii ii iii iiiiiiiiiii ii ii ii iiiiiiiiiiiiiiii iiii iiiiii iiiiiiiii iiiiiiiiiiiiiiiiiiiiiiii
PowerShell: Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-P“ -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.6" -DestinationPortRange “1433" -Protocol "*" -Description “TO MySQL1 server from FE Servers"
Azure Network Security Groups Default Rules
NSG DEFAULT RULESiiii iiii iiiiiii iiiii
iiiiiii iiiii iiiiii ii iiiiiii
iiiiiii iiiii iiii iii iiiiii iiiiiiii
iii ii iiiiii iiiiiiiiiii ii iiiiii iiiiiiii iiiii
Azure Network Security Groups Default Rules
NSG DEFAULT RULES
Notice the Default Tags
Where to apply an NSG is based on individual requirements
WHERE CAN AN NSG BE APPLIED?iiiiiiiiiiiiiii iii ii i iiiiii
iiiiiiiiiiiiiii iii ii ii iiiiiiiiii ii
iiiiiiiiiiiiiii iii ii i iii
Your organization may create a best practice that works for you
OUR SCENARIOMyBESubnet:1. Inbound- Allow all traffic from
MyFESubnet to MyDC12. Inbound - Allow only traffic from
MyFESubnet to MySQL1 on Port 1433
3. Outbound - Deny all traffic to INTERNET
Virtual Network(MyVNET1)
MyWFE1 MyDC1 MySQL1
Address Space: 10.1.0.0/16
MyFESubnet: 10.1.2.0/24(10.1.2.0 - 10.1.2.255)
10.1.1.4
MyBESubnet: 10.1.1.0/24(10.1.1.0 - 10.1.1.255)
10.1.2.4 10.1.1.5
MyFESubnet:1. Inbound - Allow all traffic from
MyBESubnet2. Inbound - Only allow INTERNET
traffic on port 80 to MyWFE1
Thank You!Organizers, Sponsors and You for making this possible.More Slides AtSlideshare.Net/shawnismailMore Free Azure Videos AtCloudRanger.netMore Professional Help At 2toLead.com
Message Me On LinkedIn or Email [email protected]
ARCHITECT | CONSULTANT | GENEROUSMy twitter is @shawnismail, my blog is at http://cloudranger.net, and I work at
ARCHITECT | CONSULTANT | GENEROUS
Appendix Add-AzureAccountGet-AzureSubscriptionSwitch-AzureMode AzureResourceManager
# Create NSGNew-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2"
# AllowAdd-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyBESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyBESubnet"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyDC1-MyFESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.4" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyFESubnet to MyDC1"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MySQL1-MyFESubnet-P1433" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.5" -DestinationPortRange "1433" -Protocol "*" -Description "Allow traffic from MyFESubnet on port 1433 to MySQL1"
# Deny
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyFESubnet-MyBESubnet" -Direction Inbound -Priority 2000 -Access Deny -SourceAddressPrefix "10.1.2.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.1.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Deny all inbound traffic from MyBESubnet"Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET" -Direction Outbound -Priority 2001 -Access Deny -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "INTERNET" -DestinationPortRange "*" -Protocol "*" -Description "Deny all Outbound traffic to the Internet"
# Attach all created rules to Network Security GroupSet-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup
# Remove # Remove-AzureNetworkSecurityGroup -Name "MyBESubnet-NSG" -ResourceGroupName "MyRGEast2" # Remove-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "FROM-MyBESubnet-INTERNET"
ARCHITECT | CONSULTANT | GENEROUS
Appendix AAdd-AzureAccountGet-AzureSubscriptionSwitch-AzureMode AzureResourceManager
# Ceate NSGNew-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -Location "East US 2" -ResourceGroupName "MyRGEast2" $nsgroup = Get-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
# AllowAdd-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-INTERNET-P3389" -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "3389" -Protocol "Tcp" -Description "All all RDP traffic to MyFESubnet"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyFESubnet-MyBESubnet-PALL" -Direction Inbound -Priority 1001 -Access Allow -SourceAddressPrefix "10.1.1.0/24" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.0/24" -DestinationPortRange "*" -Protocol "*" -Description "Allow all traffic from MyBESubnet to MyFESubnet"
Add-AzureNetworkSecurityRuleConfig -NetworkSecurityGroup $nsgroup -Name "TO-MyWFE1-INETRNET-P80" -Direction Inbound -Priority 1002 -Access Allow -SourceAddressPrefix "INTERNET" -SourcePortRange "*" -DestinationAddressPrefix "10.1.2.4" -DestinationPortRange "80" -Protocol "*" -Description "Allow port 80 traffic to MyWFE1"
# Attach all created rules to Network Security GroupSet-AzureNetworkSecurityGroup -NetworkSecurityGroup $nsgroup
# Remove # Remove-AzureNetworkSecurityGroup -Name "MyFESubnet-NSG" -ResourceGroupName "MyRGEast2"
ARCHITECT | CONSULTANT | GENEROUS
Appendix BRun to listen to a port on a server A:
$Listener = [System.Net.Sockets.TcpListener]1433$Listener.Start()$Listener.AcceptTcpClient()
Run on Server B to connect client to server A:
(new-object Net.Sockets.TcpClient).Connect(“SERVERBIP", 1433)