‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlrosoft Learn Tutorial: Filter network traffic with a network security group using the Azure portal Article + 05/29/2024 You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network. Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet. User A nsg-1 , Port 80 allowed @ Port 3389 denied asg-web Q vm-1 Port 80 denied Port 3389 allowed asg>mgm 9 ——__—_> vm-2 subnet (a vnet-1 Qa In this tutorial, you learn how to: VY Create a network security group and security rules Y Create application security groups Y Create a virtual network and associate a network security group to a subnet hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic ana‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlrosoft Loam Y Deploy virtual machines and associate their network interfaces to the application security groups Prerequisites An Azure account with an active subscription. You can create an account for free Sign in to Azure Sign in to the Azure portal Create a virtual network The following procedure creates a virtual network with a resource subnet 1, In the portal, search for and select Virtual networks. 2. On the Virtual networks page, select + Create. 3. On the Basics tab of Create virtual network, enter or select the following information: Setting Project details Subscription Resource group Instance details Name Region (2. Expand table Value Select your subscription Select Create new. Enter test-rg in Name. Select OK. Enter vnet- Select East US 2. hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic ana‘722124, 856 PM Tutorial: Fitor network tafe with a network securty group (NSG) -Azure portal | Mlerosoft Learn BDA convient Meme | © G © cspratmnrecnl ore ee Create virtual network x 4+ Cee srecce Prone ows Avvo (7 enwce gens © wep serie racine 1B saci © pasecoune8e veut cine © toed ders 2 hase Diy © mente @ poe © sou aed Bip + spon © cot htnagean «ng tek seanly athens Tae Revew rae ‘se Viana ete eat trypan ae eb may Sct seston manage eld estes and coe Un ee gig ote ed mapa agen © (mies? = 4, Select Next to proceed to the Security tab. 5. Select Next to proceed to the IP Addresses tab. 6. In the address space box in Subnets, select the default subnet. 7. In Edit subnet, enter or select the following information: Setting Subnet details Subnet template Name Starting address Subnet size ©) Expand table Value Leave the default Default. Enter subnet-1 Leave the default of 10.0.0.0. Leave the default of /24(256 addresses), tips:team microsoft conven-us/azurevitual-networktutorabfiter-network-raffc 34‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NG) -Azure portal | Mlerosoft Loam tow Wee Edit subnet j Create virtual network _ eect geen gone ecm ron og 8. Select Save. 9. Select Review + create at the bottom of the screen, and when validation passes, select Create. Create application security groups An application security group (ASGs) enables you to group together servers with similar functions, such as web servers. 1. In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results. 2. Select + Create. 3. On the Basics tab of Create an application security group, enter or select this information: tips:team microsoft conven-us/azurevitual-networktutorabfiter-network-raffc ana‘722124, 856 PM Tutorial Setting Project details Subscription Resource group Instance details Name Region Filter network traf with a network security group (NSG) - Azure portal | Microsoft Learn (2 Expand table Value Select your subscription Select test-rg Enter asg-web. Select East US 2. 4, Select Review + create. 5, Select + Create. 6, Repeat the previous steps, specifying the following values: Setting Project details Subscription Resource group Instance details Name Region (2. Expand table Value Select your subscription, Select test-rg. Enter asg-mgmt. Select East US 2. 8. Select Create. Create a network security group A network security group (NSG) secures network traffic in your virtual network 1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results. hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic sna7210, 855M Tuoi: itor ntwork wale wth a network securty group (NS) -Azure portal | Most Leam © Note In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups. 2. Select + Create. 3, On the Basics tab of Create network security group, enter or select this information: 2 Expand table Setting Value Project details Subscription Select your subscription Resource group Select test-rg. Instance details Name Enter nsg-1 Location Select East US 2 4, Select Review + create. 5, Select Create. Associate network security group to subnet In this section, you associate the network security group with the subnet of the virtual network you created earlier. 1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results. 2. Select nsg-1 3. Select Subnets from the Settings section of nsg-1 4. In the Subnets page, select + Associate: hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic ena‘722124, 856 PM Home > Neoware gaipa > ag > Nsg-1| Subnets 2 x © onriew eh be tty og ae $y secescoal Q8 ores © 2 Dagnoe anasto probies stings TH Poperies 6 tose Tutorial: Fitor network vale with a network securty group (NG) -Azure portal | Mlerosoft Lear 5. Under Associate subnet, select vnet-1 (test-rg) for Virtual network. 6. Select subnet-1 for Subnet, and then select OK. Create security rules 1, Select Inbound security rules from the Set gs section of nsg-1 2. In Inbound security rules page, select + Add. 3. Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select the following information: Set 9 Source Source port ranges Destination Destination application security groups Service Destination port ranges hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic (2. Expand table Value Leave the default of Any. Leave the default of (*. Select Applic ion security group. Select asg-web. Leave the default of Custom. Enter 80,443. 747122124, 855 PM Setting Protocol Action Priority Name 4, Select Add Tutorial: Fitor network vale with a network securty group (NG) -Azure portal | Mlerosoft Learn Value Select TCP. Leave the default of Allow. Leave the default of 100. Enter allow-web-all 5. Complete the previous steps with the following information: <2 Expand table Setting Value Source Leave the default of Any. Source port ranges Leave the default of (*). Destination Select Application security group. Destination application security group Select asg-mgmt. Service Select RDP. Action Leave the default of Allow. Priority Leave the default of 110. Name Enter allow-rdp-all 6, Select Add. ® Caution In this article, RDP (port 3389) is exposed to the internet for the VM that is assigned to the asg-mgmt application security group. For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN, private network connection, or Azure Bastion. For more information on Azure Bastion, see What is Azure Bastion?. hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic ana‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlerosoft Loam Create virtual machines Create two virtual machines (VMs) in the virtual network. 1. In the portal, search for and select Virtual machines. 2. In Virtual machi ies, select + Create, then Azure virtual machine. 3. In Create a virtual machine, enter or select this information in the Basics tab: Project detail Subscription Resource group Instance details Virtual machine name Region Availability options Security type Image Azure Spot instance Size Administrator account Username Password Confirm password Inbound port rules Select inbound ports 4, Select Next: Disks then Next: Networ! (Expand table Value Select your subscription Select test-rg. Enter vm-1 Select (US) East US 2. Leave the default of No infrastructure redundancy required, Select Standard, Select Windows Server 2022 Datacenter - x64 Gen2. Leave the default of unchecked. Select a size. Enter a username. Enter a password Reenter password. Select None. 9. 5. In the Networking tab, enter or select the following information: hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic ona‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlrosoft Loam Setting Network interface Virtual network Subnet Public IP NIC network security group (2 Expand table Value Select vnet-1 Select subnet-1 (10.0.0.0/24) Leave the default of a new public IP. Select None. 6. Select the Review + create tab, or select the blue Review + create button at the bottom of the page. 7. Select Create. The VM may take a few minutes to deploy. 8, Repeat the previous steps to create a second virtual machine named vm-2. Associate network interfaces to an ASG When you created the VMs, Azure created a network interface for each VM, and attached it to the VM. Add the network interface of each VM to one of the application security groups you created previously: 1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results, then select vm-1. 2, Select Application security groups from the Networking section of vm-1 3, Select Add application security groups, then in the Add application security groups tab, select asg-web. Finally, select Add. hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic son‘722124, 856 PM Tutorial: Fitor network tafe with a network securty group (NSG) -Azure portal | Mlrosoft Lear nee ‘Add application security groups @ ¥m-| Application securty groups = = Q 4, Repeat the previous steps for vm-2, selecting asg-mgmt in the Add application security groups tab. Test traffic filters 1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results. 2. Select vm-2. 3. On the Overview page, select the Connect button and then select Native RDP. 4, Select Download RDP file. 5, Open the downloaded rdp file and select Connect. Enter the username and password you specified when creating the VM. 6. Select OK. 7. You may receive a certificate warning during the connection process. If you receive the warning, select Yes or Continue, to continue with the connection. The connection succeeds, because inbound traffic from the internet to the asg- mgmt application security group is allowed through port 3389. The network interface for vm-2 is associated with the asg-mgmt application security group and allows the connection. 8, Open a PowerShell session on vm-2. Connect to vm-1 using the following: hitps:leam microsoft.comfen-usiazurelvitual-networkutoriafiter-network-trafic w4‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlerosoft Loam PowerShell mstse /vivm-1 The RDP connection from vm-2 to vm-1 succeeds because virtual machines in the same network can communicate with each other over any port by default. You can't create an RDP connection to the vm-1 virtual machine from the internet. The security rule for the asg-web prevents connections to port 3389 inbound from the internet. Inbound traffic from the Internet is denied to all resources by default. 9. To install Microsoft IIS on the vm-1 virtual machine, enter the following command from a PowerShell session on the vm-1 virtual machine: PowerShell Install-WindowsFeature -name Web-Server -IncludeManagementTools 10. After the IIS installation is complete, disconnect from the vm-1 virtual machine, which leaves you in the vm-2 virtual machine remote desktop connection. 11, Disconnect from the vm-2 VM. 12. Search for vm-1 in the portal search box. 13. On the Overview page of vm-1, note the Public IP address for your VM. The address shown in the following example is 20.230.55.178, your address is different: mavmt 2 & x = 8 Covmet © owt CI Sep Ecapre over ©) een 1 deco 489 Om 2 Disgpeze ards pote = 2 rewoting ‘ata Bioent = nec 1 Wen Adin cere = 2 bi ; iN Bs bry 14, To confirm that you can access the vm-1 web server from the internet, open an internet browser on your computer and browse to http://. hitps:leam microsoft.comlen-usiazurelvitual-networktutoriafiter-network-trafic rane7210, 855M Tuoi iter network rae wth a network securty group (NS) - Azure potal| Merosot Leam You see the IIS default page, because inbound traffic from the internet to the asg-web application security group is allowed through port 80. The network interface attached for vm-1 is associated with the asg-web application security group and allows the connection. Clean up resources When you finish using the resources that you created, you can delete the resource group and all its resources: 1.In the Azure portal, search for and select Resource groups 2. On the Resource groups page, select the test-rg resource group, 3. On the test-rg page, select Delete resource group. 4, Enter test-rg in Enter resource group name to confirm deletion, and then select Delete. Next steps In this tutorial, you: * Created a network security group and associated it to a vir ‘ual network subnet. * Created application security groups for web and management, * Created two virtual machines and associated their network interfaces with the application security groups. * Tested the application security group network filtering To learn more about network security groups, see Network security group overview and Manage a network security group. Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how to create a route table, advance to the next tutorial. =) Feedback hitps:leam microsoft.comen-usiazurelvitual-networkutoriafiter-network-trafic saa‘722124, 856 PM Tutorial: Fitor network vale with a network securty group (NSG) -Azure portal | Mlerosoft Loam Was this page helpful? | Yes | | ? No Provide product feedback | Get help at Microsoft Q&A tips:team microsoft conven-us/azurevitual-networktutorabfiter-network-raffc sana