Configuring Azure Network Security Groups with PowerShell

  One of my first activities in my new role here at Insight has been to help one of our customers to setup an Azure environment for a Business Intelligence project, with a couple of network security requirements, including the configuration of Azure Network Security Groups, which can be used to control the traffic between Virtual Machines. In this post we will focus only on this part of the request, showing how to create a simple test scenario to simulate the utilization of Azure NSG. Scenario                Create a Virtual Network on Azure with 2 subnets, and enable only the specified traffic communication between the 2 networks. In our example we will enable the FTP traffic, denying the rest of traffic. Configuration 1-     Create a Azure Virtual Network and two subnets. This step is very easy and it can be done using the Azure portal (both old and new portal are fine for this purpose). To see a tutorial you can visit this page: http://azure.microsoft.com/en-us/documentation/articles/create-virtual-network/ Result of the VNET creation is shown below. We have a Virtual Network called netacl. The VNET contains two subnets: -        Subnet-1 – 10.0.0.0/24 -        Subnet-2 – 10.0.1.0/24 2-     Create two virtual machines, where each VM will be coupled with a specific subnet. a.      Francedacl1 – 10.0.0.4 b.      Francedacl2 – 10.0.1.4 3-     Enable network security groups at subnet level, to limit the allowed traffic between the two subnets. The security group will be called sg1. In our case we are using SG at subnet level, but you could use them also between VMs This step can be accomplished using PowerShell, and below you could find the cmdlets that I have used for the configuration   Add-AzureAccount   Set-AzureSubscription -SubscriptionName "my subscription" Select-AzureSubscription -SubscriptionName "my subscription" Get-AzureSubscription   $vnetname = "netacl" $subnetname = "Subnet-1"   #francedacl1 10.0.0.4 in subnet "Subnet-1" #francedacl2 10.0.1.4 in subnet "Subnet-2"   #Create a new security group New-AzureNetworkSecurityGroup -Name "sg1" -Location "West Europe"   #Add the SG to the backend subnet (this is where the "inbound" rule will apply) Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $vnetname -SubnetName $subnetname   #Allow FTP Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityRule -Name "Allow FTP" -Type Outbound -Priority 100 -Action Allow -SourceAddressPrefix '10.0.0.0/24'  -SourcePortRange '*' -DestinationAddressPrefix '10.0.1.0/24' -DestinationPortRange "21" -Protocol TCP   #Deny other  Get-AzureNetworkSecurityGroup -Name "sg1" | Set-AzureNetworkSecurityRule -Name "Disable all other traffic" -Type Outbound -Priority 200 -Action Deny -SourceAddressPrefix '10.0.0.0/24'  -SourcePortRange '*' -DestinationAddressPrefix '10.0.1.0/24' -DestinationPortRange "*" -Protocol *   #Get info on the SG Get-AzureNetworkSecurityGroup -Name "sg1" -Detailed       Test the configuration                To test the configuration we can simply try to access the FTP port (success) and try to access another port, e.g. RDP (failure) In case you need to delete the security group you could use commands below: #remove Remove-AzureNetworkSecurityGroupFromSubnet -Name "sg1" -VirtualNetworkName "netacl" -SubnetName "Subnet-1"   Remove-AzureNetworkSecurityGroup "sg1" -Force   Considerations NSG is a great enhancement that can assist in the design of a secure network configuration, e.g. a DMZ. I recommend to visit the official Microsoft documentation to get more information about NSG: http://azure.microsoft.com/blog/2014/11/04/network-security-groups/ Ciao! Francesco @francedit