Module 4bc - Security and Network Security - Network Security Groups

Question 1

What are Network Security Groups (NSGs)?

Answer 1

A mechanism for filtering traffic between the individual Resources within an AVN. Think of them as internal firewalls, inside the Network Layer.

• Can contain multiple inbound and outbound security rules for filtering traffic to and from Resources
• Can filter by destination IP, port and protocol

Question 2

What fields are available in an NSG Rule?

Answer 2

• Name
• Priority
• Source or Destination
• Protocol: TCP/UDP/Any
• Direction: ingress/egress
• Port Range: either a single port or range of ports
• Action: ALLOW/DENY

Question 3

Every VM on Azure is associated with at least one network security group (T/F)

Answer 3

True

Question 4

What does the default NSG rule ‘default-allow-ssh’ do?

Answer 4

Allows inbound connections over port 22 (SSH port). SSH (secure shell) is the protocol used by Linux to allow admins to access the system remotely

Question 5

What’s the default NSG rule for Linux VMs?

You must also allow inbound on port 80 (HTTP) (T/F)?

Answer 5

default_allow_ssh

Allow network access only on port 22 (SSH Secure Shell). It enables admins to access the system.

True~

Question 6

When creating multiple VMs that serve the same purpose, it’s best to create a new NSG for each VM. This way you can customize inbound/outbound traffic per VM (T/F)?

Answer 6

False

it’s best to assign them all to a single, standalone NSG, then create a single inbound and a single outbound rule for the NSG.

That way you can control network access to multiple VMs under a single, centralized set of rules

Question 7

How is INBOUND traffic evaluated when a SubNet and a Network Interface both have an NSG applied to it?

Answer 7

Both NSGs are evaluated independently. The SUBNET NSG evaluates traffic first, the one applied to the NETWORK INTERFACE evaluates second.

In other words, if it isn’t even allowed at the Network Layer destination, don’t even let it past the Perimeter Layer (Defense in Depth)

Question 8

How is OUTBOUND traffic evaluated when a SubNet and a Network Interface both have an NSG applied to it?

Answer 8

Outbound traffic is first evaluated by the NSG applied to the NETWORK INTERFACE, then by the NSG applied to the SUBNET

Question 9

What determines the order in which an NSG Rule is processed and how?

Answer 9

Rules are processed in priority order with LOWER numbers processed FIRST. Priority range is between 100-4096. So a rule set to priority 100 will get processed before a rule set to priority 1000

Question 10

For an NSG Rule Source or Destination, what values can be set?

Answer 10

Can be any of the following:

• single IP address or an IP Range
• CIDR block (ex. 10.0.0.0/24)
• service tag
• app security group

Question 11

When are NSGs processed for *Outbound* traffic and what IP address translation occurs?

Answer 11

For Outbound Traffic, NSGs are processed BEFORE Azure translates a private IP address to a public IP Address

Azure checks first to see if egress is even allowed to leave the outer layer (the network interface). If it is, then it checks the inner layer (SubNet). If so, then great; translate the private IP to the public one and let it through~

Question 12

When are NSGs processed for Inbound traffic and what IP address translation occurs?

Answer 12

For Inbound Traffic, NSGs are processed AFTER Azure translates a public IP address to a private IP Address….

Naturally…how would Azure know what NSGs to apply if it didn’t know what the destination SubNet was?