Azure NSG (security Group)

[Enter article title here]

Previously on azure, for network security, the user could configure the ACL for the VM endpoint themselves, but the ACL could not be configured for the entire v-net or to define a group.

The presence of a network security group (NSG) solves this problem and can be used to control traffic to one or more virtual machine (VM) instances in the virtual network. Access control rules that allow or deny traffic to the VM instance are included in the NSG, and the rules of the NSG can be changed at any time.

Remark:

Nsgs require a zone VNET,NSG that is incompatible with a VNet that is associated to an affinity group.

Only one NSG can be associated with a VM or subnet

Currently, each NSG contains a maximum of 200 rules

Currently there are up to 100 nsg 1 rule content per subscription

Name: Unique identifier of the rule

Type: Inbound/Outbound

Priority: < can specify an integer between 100 and 4096 >

Source IP Address: CIDR for source IP range

Source port range: < integer or range between 0 and 65000 >

Target IP Range: CIDR for destination IP range

Destination port range: < integer or range between 0 and 65000 >

Protocol : < allows TCP, UDP, or "*" to be used >

access: Allow/Deny

Default rule: NSG has default rules and cannot be deleted, but has the lowest priority

Inbound

Name	Priority level	SOURCE IP	Source Port	Destination IP	Destination Port	Agreement	Access
Allow Inbound VNET	65000	Virtual_network	*	Virtual_network	*	*	Allow
Allow inbound AZURE Load Balancer	65001	Azure_loadbalancer	*	*	*	*	Allow
Reject All inbound	65500	*	*	*	*	*	Refused

Outbound

Name	Priority level	SOURCE IP	Source Port	Destination IP	Destination Port	Agreement	Access
Allow Outbound VNET	65000	Virtual_network	*	Virtual_network	*	*	Allow
Allow Outbound INTERNET	65001	*	*	INTERNET	*	*	Allow
Reject All Outbound	65500	*	*	*	*	*	Refused

2 Creating and Managing Nsgs

For an NSG association, there are several things you can do:

• When you associate an NSG to a VM, the network access rules in that NSG are applied directly to all traffic destined for the VM.
• When you associate an NSG to a subnet, the network access rules in the NSG are applied to all VMS in that subnet.
• When you associate 2 nsgs to the V-NBT of the VM and VM, the VM will receive double protection.

Update 2.1 plan NSG in minutes with each rule or associated modification

Creating and associating Nsgs to the VM

1. Create a network security group (NSG).

2. Add a network security rule, unless the default rules are sufficient to meet your needs.

3. Associate the NSG to the VM.

4. Update the VM.

5. After the update, the NSG rules take effect immediately.

to update an existing NSG

1. Add, remove, or update rules in an existing NSG.

2. All VMS associated with the NSG will be updated in a few minutes. If the NSG rule is already associated with a VM, no VM updates are required.

Change NSG Associate

1. Associate the new NSG to a VM that is already associated with another NSG.

2. Update the VM.

3. The rules in the new NSG will take effect in a few minutes. 2.2 Configuring the NSG

Currently, you can only use PowerShell cmdlets and REST APIs to configure and modify Nsgs

Create a network security group

New-azurenetworksecuritygroup-name "MyNSG01"-location "China East"-label "Security Group for my Vnet in China East"

650) this.width=650; "title=" clip_image002 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M00/59/E5/ Wkiol1tu1hhbijmnaabf53fj0yg497.jpg "" 558 "height=" >

Add or update a rule

Get-azurenetworksecuritygroup-name "MyNSG01" | Set-azurenetworksecurityrule-name web-type inbound-priority 100-action allow-sourceaddressprefix ' INTERNET '-SourceP Ortrange ' * '-destinationaddressprefix ' * '-destinationportrange '-protocol TCP

650) this.width=650; "title=" clip_image004 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M01/59/E5/wKioL1Tu1hLjNDM0AAE_ 4xifia0399.jpg "" 558 "height=" 261 ">

Delete Rule

Get-azurenetworksecuritygroup-name "MyNSG01" | Remove-azurenetworksecurityrule-name WEB

650) this.width=650; "title=" clip_image006 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image006 "src=" http://s3.51cto.com/wyfs02/M02/59/E8/ Wkiom1tu1qmcoeqnaaek-v2tscw591.jpg "" 558 "height=" 222 ">

the NSG associating to VMs

Get-azurevm-servicename "Ngcloud"-name "NGVM01" | Set-azurenetworksecuritygroupconfig-networksecuritygroupname "MyNSG01" | Update-azurevm

650) this.width=650; "title=" clip_image008 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image008 "src=" http://s3.51cto.com/wyfs02/M02/59/E8/ Wkiom1tu1qrhqdahaackrfu6aza264.jpg "" 558 "height=" >

from the VM Remove Nsgs in

Get-azurevm-servicename "Ngcloud"-name "NGVM01" | Remove-azurenetworksecuritygroupconfig-networksecuritygroupname "MyNSG01" | Update-azurevm

650) this.width=650; "title=" clip_image010 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image010 "src=" http://s3.51cto.com/wyfs02/M00/59/E8/ Wkiom1tu1q2hfezlaacseijntgm507.jpg "" 558 "height=" >

will be NSG associating to subnets

Get-azurenetworksecuritygroup-name "MyNSG01" | Set-azurenetworksecuritygrouptosubnet-virtualnetworkname ' ngtest-network ' –subnetname ' Subnet-1 '

Existing v-net and subnet

650) this.width=650; "title=" clip_image012 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image012 "src=" http://s3.51cto.com/wyfs02/M01/59/E8/ Wkiom1tu1q6jravyaabzcfekmaa919.jpg "" 558 "height=" 195 ">

Association

650) this.width=650; "title=" clip_image014 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image014 "src=" http://s3.51cto.com/wyfs02/M02/59/E8/wKiom1Tu1Q_ Ynjuzaaazliaqlp4981.jpg "" 558 "height=" >

To view the results of an association

650) this.width=650; "title=" clip_image016 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image016 "src=" http://s3.51cto.com/wyfs02/M00/59/E8/ Wkiom1tu1rcjgrwraabjvmkqmy0017.jpg "" 558 "height=" >

remove an NSG from the subnet

Get-azurenetworksecuritygroup-name "MyNSG01" | Remove-azurenetworksecuritygroupfromsubnet-virtualnetworkname ' ngtest-network '-SubnetName ' Subnet-1 '

650) this.width=650; "title=" clip_image018 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image018 "src=" http://s3.51cto.com/wyfs02/M01/59/E5/ Wkiol1tu1h2ybiaoaaciqzjmmiw284.jpg "" 557 "height=" >

View results again

650) this.width=650; "title=" clip_image020 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image020 "src=" http://s3.51cto.com/wyfs02/M02/59/E5/ Wkiol1tu1h-btbhxaacbv8kdc_a027.jpg "" 558 "height=" >

Delete NSG

Remove-azurenetworksecuritygroup-name "MyNSG01"

650) this.width=650; "title=" clip_image022 "style=" border-top:0px; border-right:0px; border-bottom:0px; border-left:0px; Display:inline "border=" 0 "alt=" clip_image022 "src=" http://s3.51cto.com/wyfs02/M02/59/E8/ Wkiom1tu1rwcyddzaacip9xqvts572.jpg "" 557 "height=" >

Azure NSG (security Group)