hello guys welcome back it's adam and in

this episode we'll be focusing on

securing our virtual networks in azure

with something called

security groups stay tuned

[Music]

this is our first episode in the module

3 which is all about

building secure applications in azure

and today our focus

is network security groups and

application security groups

so let's start with network security

groups it is always easier to imagine

how something works in

azure with a scenario let's say we have

four servers

two to handle web application traffic

one server to handle the business logic

and one more server to host our database

depending on our architectural decisions

we can

divide those into subnets for example

have one subnet for all the

microservices and

web application traffic and another

subnet to handle our data tier

applications

and since those are subnets they need to

reside within a virtual network

if we create infrastructure like this

and we don't do anything else

all the traffic coming from the internet

will be allowed to all of these servers

additionally all the traffic between

these servers will be allowed

therefore everything can communicate

with everything

but in our scenario this is something we

don't want to happen

because our internet traffic should not

be reaching our database

and not all of these services should be

able to communicate with each other

and this is where network security

groups come in handy for instance place

network security group on the first

subnet allowing traffic from the

internet to reach

our web tier services and by creating

network security group on the second

subnet we can block the traffic coming

from the internet

but still allow the traffic coming from

our own services

let me go to azure portal where i'll

show you how network security groups

work

let's navigate to my resource group

where i created a virtual machine in one

of our previous episodes

in here i have my am demo vm that i will

want to connect to

right now as it stands i can connect to

this virtual machine

i can prove this to you by going to the

second screen where i have opened my

remote desktop connection manager

allowing me to quickly connect to this

virtual machine as you can see because

of the current network configuration i'm

able to connect to this virtual machine

with no

problem so let's disconnect from the

server for now and let's go back to

azure portal

where i will navigate to my network

security group resource

this is the place where i can manage all

the networking rules for my virtual

machine

let me navigate to inbound security

rules this is the place where we can

manage all the rules for the incoming

traffic to our server

in this case there's a rule called rdp

which allows all the traffic coming from

the port 3389

which is the port used by red mode

desktop protocol

if i would go to this rule and simply

delete it

then in just few moments my traffic will

be disabled and i will no longer be able

to connect to this virtual machine

now if i go back to my remote desktop

connection manager and try to connect to

this virtual machine

for a moment it will try to connect and

then fail with an error message that we

no longer can connect to this virtual

machine

after a few seconds we get a message

this is because there are

no rules currently allowing the inbound

connectivity over rdp port

to our virtual machine so let me show

you how to add a new network security

group rule

in order to allow remote desktop

connectivity to the server

let's hit on add button to create new

rule

in the source we can select any which

means anyone across the planet from any

ap

you can either also select ip addresses

to allow specific ip addresses to

connect

service tag is a specific service

category within azure

or application security group is

something that we'll talk in just a

second

for now let's select any any means

anyone from

anywhere on the planet on any port which

is this star

the destination any that means anything

protected by this network security

groups

but the important part is the port in

case of remote desktop connection

protocol this is free 389 which is the

port used by the remote desktop

and the protocol used by remote desktop

is tcp

so we can narrow this down even further

the action is allowed so let's allow

this type of flow

to go through our network security group

in case of priority we leave it as

hundred

you should not worry about this too much

for this episode but in general

rules within network security groups are

evaluated based on their priority

and lastly you can add a name and

description to give some

more meaning to this specific rule for

example call it allow rdp

which will let us know what this rule

does without a need to inspect a

configuration of this specific rule

rule has been created we can refresh the

page to see new rule

we can also see exclamation mark next to

our rdp rule

this is because based on microsoft

recommendation and in general based on

security recommendations

you should not open your rdp

connectivity to entire world

you should target always specific

servers and specific ip ranges

but for now for testing this is fine and

if i go back to my machine and try to

connect again

i should be able to connect in just a

second so as you can see with

the network security groups management

of the traffic and the flow of the

traffic for our virtual network

is fairly simple so to summarize network

security groups are designed to filter

the traffic that is going to

and from azure resources that are

located within a virtual network

all the filtering for network security

groups is done by something called

rules and you can have multiple rules

for both incoming

and outgoing traffic and the rules

themselves are

created by specifying source and the

destination by using ip ranges service

tags or application security groups

additionally specifying the protocol tcp

udp

or any you can also specify port or port

ranges

allowing you to only target specific

services for example

rdp is 3389 whereas https traffic is 4

for free

so you can allow only specific service

to connect to your machines

and with direction you can control

whether this rule is evaluated for

incoming or outgoing traffic

lastly you can add priority which allows

you to define and control the rule

evaluation order

giving you full range of control and

flexibility

as to which traffic will be allowed to

go through and which one will be

rejected

but in azure there's one more resource

called application security groups

which helps us with management of our

traffic even further

let's go back to the scenario that i

drew before in this case let's say that

our final configuration will allow the

traffic going from the internet to our

web services

then block the traffic from the internet

to our logic server so that only our web

applications can connect to the services

handling the business logic and then

further this allow the internet traffic

going to the database server

only allowing the business logic web

service to call the database servers

and block the traffic from the web

services directly to database

so that we will end up with this kind of

flow so that the internet traffic only

reaches our web servers

web servers will communicate with the

business logic servers and business

logic servers communicate with our

database

right now to achieve this using network

security groups we would need to use

static ips of those machines in each

single rule

and manage this manually this of course

means a lot of maintenance effort

you can solve this challenge by using

application security groups

grouping your servers by their business

purpose and then

using those application security groups

instead of those static ips in your

network security rules

so application security groups is really

a feature that allows you to group your

virtual machines that are located within

your azure virtual network

and use that to reduce the effort

required to maintain network security

group rules

by assigning application security groups

instead of explicit ip addresses

to summarize today we'll learn about

network security groups

allowing us to filter incoming and

outgoing traffic

from our virtual network resources and

additionally we've learned about

application security groups

a feature that allows us to group our

virtual network resources logically

and then use those logical groupings

inside of network security group rules

all the materials for this episode are

found under episode 21 on my website

now that we know how to secure our azure

networks next up

i will talk about how to create our own

custom routing tables

so definitely check this one out if you

want to follow to the next episode

simply hit the icon on the side or

follow the playlist if you like my work

support the channel by subscribing

liking and commenting

and see in the next one

you