Scribd
Upload
17 views18 pages

3 Azure Networking Architecting Implementing m3 Slides

The document discusses the management of traffic flow in virtual networks using Network Security Groups (NSGs) and virtual appliances. It explains how NSGs can be configured with rules based on a 5-tuple model to control communication between virtual machines, subnets, and the internet. Additionally, it covers the use of User Defined Routes (UDR) for customized routing and the deployment of virtual appliances from the Azure Marketplace.

Uploaded by

objectis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views18 pages

3 Azure Networking Architecting Implementing m3 Slides

The document discusses the management of traffic flow in virtual networks using Network Security Groups (NSGs) and virtual appliances. It explains how NSGs can be configured with rules based on a 5-tuple model to control communication between virtual machines, subnets, and the internet. Additionally, it covers the use of User Defined Routes (UDR) for customized routing and the deployment of virtual appliances from the Azure Marketplace.

Uploaded by

objectis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Network Security Groups and Virtual

Appliances

John Savill
TECHNICAL ARCHITECT

@ntfaqguy [Link]
Module
Overview
Controlling traffic flow
Using network security groups
Using network appliances
Traffic Flow in a Virtual Network

By default for a VM in a virtual network it can communicate with


Every other VM in every subnet in the same virtual network

Anything on the Internet (outbound)

Anything connected via a VPN or ExpressRoute


Traffic Flow in a Virtual Network

This may not always be desired


In a multi-tiered application may want only neighbor tiers to communicate

May want only certain VMs to talk to the Internet (DMZ)

May want to restrict types of traffic


Network Security Groups

Enable rules to be When applied to a


created then Network security subnet it is still
assigned to a groups applied to enforced at the
network security subnets or VMs vmNIC, it is not an
group “Edge” device
Rules are based on 5-tuple and have a
priority and action (allow or deny)
- Source IP address (can be a range using
CIDR format)
NSG Rules - Source port
- Destination IP address (can be a range
using CIDR format)
- Destination port
- Protocol (TCP, UDP, or *)
CIDR used to define source/destination
Three special identifiers
- VIRTUAL_NETWORK: identifies traffic
NSG Rules within the virtual network address space
- AZURE_LOADBALANCER: the Azure
infrastructure load balancer
- INTERNET: IP address space external to
the virtual network
Network Security Groups Example

Internet

Azure Virtual Network

Allow Allow
Frontend Midtier Backend
Subnet Subnet Subnet

NSG NSG NSG

Deny
Network Security Group Example

 Rules are combined in a network security group

 Based on the priority flexible configurations are possible

 Lower priority number means high priority


Description Priority Source Address Source Destination Address Destionation Action
Port Port
Inbound 443 1005 * * * 443 Allow

ILB 1010 AZURE_LOADBALANCER * * 10000 Allow

Within Subnet 1015 <CIDR of subnet> * <CIDR of subnet> * Allow


(repeated for each)
Inbound RDP 2005 VIRTUAL_NETWORK * * 3389 Allow

Deny all Vnet traffic 3005 VIRTUAL_NETWORK * VIRTUAL_NETWORK * Deny

Deny all inbound 4000 * * * * Deny


Demo Creating NSGs
Applying NSGs with portal and
PowerShell
Default NSG when creating a VM with
Public IP
Do not be overly restrictive
with NSGs!
Multi-NIC VMs

Depending on the NICs must be added


By default a VM has size of the VM
multiple NICs may at time of
a single vmNIC
be allowed provisioning

Cannot mix single vmNICs can be in This is really


NIC and multi NIC
VMs in same the same or designed for virtual
availability set different subnet appliances
Customized Routing in a Virtual Network
User Defined Routes (UDR)
Enables modification of the default routing of packets
Example: adding a firewall/IDS appliance that all traffic should flow through
A virtual appliance could be added with
multiple vmNICs with a NIC in each subnet
and that IP is the default route for each
subnet instead of the Azure default
Customized
A route is created for an address prefix and
Routing in a next hop IP, added to a route table then
Virtual Network applied to a subnet
Also possible to just define next hop that
points to a VM and Azure will handle the
routing
Virtual Appliances

Available in the Azure Marketplace


Licensing can be based on:
Bring your own license
Hourly billing

Essentially a VM with pre-configured software and


configuration to perform a certain set of functionality
Summary
Controlling traffic flow
Using network security groups
Using network appliances
Next Up:
Enabling External Access
with Load Balancers and
Public IPs

You might also like