A network security group consists of security rules that allow or deny inbound/Outbound network traffic to or from different types of Azure resources that we will host in our Azure virtual network. And we can apply the network security group at different levels. For example:

Security rule properties:

Name: The name of the network should be unique within the network security group.

Priority: Security rules are processed in priority order with a lower number has the highest priority.

Source or Destination: (The IP address, CIDR (Classless inter-domain routing) block, service tag, or application security group) The ability to specify multiple individual IP addresses and ranges in a rule is referred to as augmented security rules.

Protocol: TCP, UDP, etc.

Port range: we can specify an individual or range of ports

Action: Allow or Deny

Service Tags

Service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. We cannot create our service tag, nor specify which Ip address is included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as an address change.

Earlier, if we want to allow communication to Azure service from our virtual machine, we need to configure IoT of outbound rules because Microsoft is providing list of IP addresses for each service you need to configure those list of IP addresses in our NSG rule to allow outbound connection from our virtual machine to that particular service and also in case if Microsoft is changing the addresses you need to change your rules.

Using service tags will simplify your NSG rules a lot, for example:

Storage: This tag denotes the IP address space for the Azure Storage service. If you specify Storage for the value, traffic is allowed or denied to storage.

SQL: This tag denotes the address prefixes of the Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse services.

Azure CosmosDB: This tag denotes the address prefixes of the Azure Cosmos Database services.

AzureKeyVault: This tag denotes the address prefixes of the Azure KeyVault service. If you specify AzureKeyVault for the value, traffic is allowed or denied to AzureKeyVault.

EventHub: This tag denotes the address prefixes of the Azure EventHub service. If you specify EventHub for the value, traffic is allowed or denied to EventHub.

Default Rules

Some default rules are created by default when we create NSG. There are two types of default rules.

Inbound Security rules

AllowVNetInbound: Traffic is allowed from any resources within the VNet
AllowAzureLoadBalancerInbound: Any traffic originating from Azure load-balancer to any of the virtual machines within the network is permitted.
DenyAllInbound: By default, virtual machines in the virtual network can communicate with each other, and also Azure load balancer can communicate with virtual machines within the virtual network.

Outbound Security rules

AllowVNetOutBound: Traffic is allowed through any resources within the VNet
AllowInternetOutBound: Traffic originating from any resources in the VNet to the Internet is allowed.
DenyAllOutBound: By default, virtual machines in a virtual network can communicate with each other, and also Azure load balancer can interact with the virtual machine within the virtual network.

Application Security Groups

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. For example –

Configuring an NSG at Subnet and VM level

Step 1: Click on create a resource button and type-in Network Security Group. Then select Network Security Group, and click on create button.

Step 2: Now, you are on the Network Security Group creation page. Select the resource group, fill the name, select the region, and click on review+create.

Step 3: Your NSG is created, now we will associate this NSG with the subnet.

Step 4: Click on the subnet, then click on add Associate. Select the virtual network and subnet with which you want to associate this NSG.

Step 5: Finally, click on the ok button. Your NSG is now associated with the subnet.

So, this brings us to the end of blog. This Tecklearn ‘Azure Network Security’ blog helps you with commonly asked questions if you are looking out for a job in Azure and Cloud Computing. If you wish to learn Microsoft Azure and build a career in Cloud Computing domain, then check out our interactive, Microsoft Azure Developer and Administrator Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/microsoft-azure-developer-associate-az-203-and-microsoft-azure-administrator-associate-az-103/

Microsoft Azure Developer Associate: AZ-203 and Microsoft Azure Administrator Associate AZ-103 Training

About the Course

This Course provides training for Microsoft Azure Administrator and Azure Developer. Tecklearn’s Azure Administrator training provides you with a deep understanding of the entire administrative lifecycle in Azure environments. This Azure course shows you how to maintain services related to computing, storage, network, and security. Enhance your Azure Administrator skills and prepare to ace the AZ-103 Azure Administrator exam. The Azure Developer certification course prepares you for Microsoft’s Azure Developer certification exam AZ-203. It covers Azure architecture, Azure technology development solutions, Azure storage services, and solutions, Cognitive Services such as Computer Vision, Q&A Maker, Azure service solutions, and API management services.

Why Should you take Azure Developer and Administrator Training?

Microsoft certified Azure Associate developer earns salary ranging from $95,000 to $135,000
Average salary of Microsoft Certified Azure Administrator is $90,000 – Indeed.com
Apple, eBay, Samsung, Citrix, UST Global, Mindtree, TCS, Wipro, Infosys & many other MNC’s worldwide use Azure across industries
According to Microsoft, more than 1,000 new sign-ups for Azure occur each day, which equates to approximately 365,000 new sign-ups each year
By 2022, 90% of enterprises will use both the IaaS and PaaS capabilities from cloud provider – Gartner

What you will Learn in this Course?

Introduction to Azure Compute Solutions and Cloud Computing

Introduction to Microsoft Azure
About Azure Certification

Overview of Azure Storage Services

Azure Storage
Azure File Use Case
Azure DNS
Azure Site Recovery

Secure and Manage Azure Storage

Security Issue
Azure Regions
Azure Services

Implementing Secure Data Solutions and Integrating Caching & CDN

Azure CDN
Azure Traffic Manager
Azure Load Balancer
Azure Scale Set

Implementing Azure App Service Web Apps and Mobile Apps

Design and Implement Azure Service Apps
Web Apps
Pricing Calculator – Azure

Managing Azure Subscriptions and Resource Groups

Create Resource Group
Create App Service Plan
Create Web App and Deploy Angular Application using SCM
Deploy .NET Application using SCM
Deploy App using Visual Studio
Web Job Types
Sendgrid

Develop Event-based and Message-based Solutions in Azure

Messaging Strategy
Design and implement Messaging Strategy
Azure Notifications
Microsoft Azure Service Bus
Queues
Topics
Create Topic
Create Subscription
Azure Relay
Using EventHubs

Implementing Azure App Service API Apps & Azure Functions

Azure PAAS Services
API Management
Function Apps
Logic Apps

Overview of Azure Virtual Machines and Configure Virtual Machines for High Availability

Virtual Machines
Create VM
PowerShell DSC and Custom Script Extension
Scale ARM VMS
VMSS
Monitoring VMs
Dev Test Labs
VM Storage

Design and implement Azure DevOps

CI/CD Pipelines
VSTS
Deployment in pass and VM’s
Scheduled deployments

Manage Azure Active Directory (AD)

Manage Identity, Application and Network Services
Overview of Azure Active Directory
Azure Active Directory B2C
Azure Active Directory B2B
Key Vault
Azure Graph API

Azure Virtual Networks and Network Security

Redis Caching
Azure search
Virtual Networks
Configure Virtual Network
Hybrid Network Connectivity
ARM VM Networking
Azure security and recovery services

Developing Solutions That Use Relational Database and Azure Blob Storage

Azure DB Services – SQL DB
Azure Notifications
Backup and Restore
Enabling Geo-Replication
Export source Database
Scale Azure SQL Databases

Developing Solutions That Use Azure Table Storage & Cosmos DB

COSMOS DB
Azure Key Vault
Azure App Insights

Azure Command Line Interface (CLI) and PowerShell

Resource management and deployments using PowerShell and CLI
ARM templates
Implement ARM templates
Control Access
PowerShell runbooks
Azure Automation
Real Time Examples

Got a question for us? Please mention it in the comments section and we will get back to you.

481