Azure DMZ Subnets: Network Security Groups Do More Than Block Packets
When people first start using Azure, they normally do something silly, like accidentally exposing a virtual machine fully to the Internet. Then they find out about Network Security Groups (NSG’s), which act as a basic firewall to block ports, but NSG’s do so much more!
An obvious use for NSG’s is to create a DMZ consisting of a subnet. This creates a subnet which contains all of your internet exposed virtual machines, and then blocks all unnecessary ports both to and from your internal network. While this is a wonderful use of an NSG, you do need to bear in mind that a NSG only checks the 5 tuple of source and destination IP addresses, source and destination ports, and the protocol used, so it isn’t a full-fledged firewall.However, most people do not use them on their internal networks, where they truly belong.
Segregating devices on a network has long been a best practice, but simply placing VM’s on a different subnet or Vnet doesn’t really secure anything. To be truly secure, you need to use NSG’s to block any unwanted traffic between servers and users. After all, allowing any user to attempt an RDP request into a server isn’t very secure, although handy for technicians (Microsoft recommends the use of jump boxes for technicians to use). One handy feature of NSG’s is that you can apply the same one to multiple subnets, so once you have completed the hard work of figuring out which ports are needed, it is a simple matter to apply it to as many subnets as needed.
It is also important to remember that all virtual machines in Azure by default can access the Internet via Azure, and one of the only ways to prevent this is to implement an NSG denying Internet access at the subnet level.
Application Security Groups (ASG) can be used in NSG’s, which provides an easy way to group servers together. As a virtual machine can have 20 ASG’s assigned, it is easy to see how you can use them to make NSG rules a lot easier.
The NSG Flow Logs is a new feature that creates a log for each packet that travels through a NSG. The log entry consists of the 5 tuple of source and destination IP addresses, source and destination ports, and the protocol used, so you can go into a lot of detail. These logs are also saved to a normal storage account, which you can view using a workspace, or any tool that can read them. Having even a simple default NSG on every subnet will allow NSG flow logs to be saved, which you can then import into any capable SIEM system.
As you can see, NSG’s are a vital tool that every organization should utilize, which can give you a deep view into the traffic flowing in your network, and prevent any unwanted traffic to flow.
To learn more, view our courses on Azure Networking.
