Scribd
Upload
130 views19 pages

Network Security Groups Slides

Uploaded by

Diego Murillo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views19 pages

Network Security Groups Slides

Uploaded by

Diego Murillo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Network Security Groups

Tim Warner
AUTHOR/TECH EVANGELIST, PLURALSIGHT

@TechTrainerTim techtrainertim.com
NSG concepts and implementation

Overview Multi-NIC virtual machines


Custom Vnet routing
The Network Security
Group (NSG)
Stateful, software firewall objects
- Ingress and egress traffic

About NSGs Rules contain 5-tuple hashes


- Source, destination IP; Source,
destination port; Protocol
Rules are based on priority
- Lower values/higher priority

About NSGs Can be attached to:


- Subnet
- VM NIC
NSG Traffic Logic

timw.info/nsg9
Demo Create NSG

Cover default and custom rules


Attach NSG to existing subnet
Attach to existing NIC
Managing NSGs
NSG Logging
Network Watcher
Demo
Diagnostics

Network watcher
Multi-NIC Virtual Machines
Multi-NIC VM Use Cases

Separation of data plane from management plane


traffic

Connection to dedicated backup/recovery subnet

timw.info/mnvm
Create and Attach Multiple NICs
$frontEnd = $myVnet.Subnets | Where-Object {$_.Name -eq 'mySubnetFrontEnd'}

$myNic1 = New-AzureRmNetworkInterface -ResourceGroupName "myResourceGroup" `

-Location "WestUS" -Name "myNic1" -SubnetId $frontEnd.Id

$backEnd = $myVnet.Subnets | Where-Object {$_.Name -eq 'mySubnetBackEnd'}

$myNic2 = New-AzureRmNetworkInterface -ResourceGroupName "myResourceGroup" `

-Location "WestUS" -Name "myNic2" -SubnetId $backEnd.Id

$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $myNic1.Id -


Primary

$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $myNic2.Id


Custom Routing
System- and User-defined Routes

Enable IP forwarding on the appliance VM

timw.info/udr
Forced Tunneling

timw.info/ft1
Perhaps show an already completed
Demo configuration with a virtual appliance
Mention that we’ll show appliance setup
later in the course

https://github.com/Azure/azure-
quickstart-
templates/tree/master/barracuda-waf-iis
Summary NSG security is not optional in Azure IaaS
Use subnet scope first; use NIC scope to
be more specific
Remember the shared responsibility
model
Next module: Azure Load Balancers

You might also like