Configure secure access to virtual networks Flashcards
Network security groups ( NSG’S)
*Used to filter traffic between resources in azure virtual network
*Contains security rules that allow or deny inbound and outbound traffic.
- In a network security group allows you specify individual ip addresses or address ranges either individually or as a comma-separated list for IP ranges
- This helps reduces the number of NSG rules you would need to create
- It can then be assigned to a subnet or NIC
- It can be associated multiple times
- You can specify source and destination ports and protocols
- The default security rules:
3 Default Inbound rules:
AllowVNetInbound - Priority is 65000
AllowAzureLoadBalancerInbound - Priority is 6501
DenyAllInbound - Priority is 65500
3 Default Outbound Rules:
AllowVNetOutBound - Priority is 6500
DenyAlloutBound - Priority is 65500
AllowInternetOutBound - Priority is 65001
- You cannot remove the default network security rules but you can override them by creating a another rule with a higher priority.
*Network security groups and subnets:
- When you assign a NSG to subnet level , the rules apply to all resources within the subnet.
- Traffic flowing in and out of subnet is controlled by the rule set to subnet level
- Each subnet can have a maximum of one NSG assigned to it.
Network security groups and NICS:
- Controls traffic between resources in the subnet
- Rules apply to the specific NIC.
** When you are creating a new azure network security group , you have to consider the rules that will apply to the config:
- First steps are to create a new configuration rule
by using the following command:
New-AzNetworkSecurityRuleConfig - Then create configurations for each of the rules
by using the following command:
New-AzNetworkSecurityRuleConfig - Then create a new security group containing the rules.
by using the following command:
New-AzNetworkSecurityGroup
Evaluate effective security rules in NSG’S
For inbound traffic:
Azure first processes NSG rules for any associated subnets and then any associated NICS.
Inbound NSG rules for a subnet take precedence over NSG rules for NICS.
For Outbound rules:
Azure first evaluates NSG rules for any NICS and then associated subnets.
Outbound NSG Rules for a NIC take precedence over NSG rules for a subnet.
Importance of allow rules:
If you have a subnet and NIC in your network security group , you must define an allow rule for each level otherwise the traffic will get denied for any level that does not have the allow rule in place.
Intra subnet traffic:
*By default , Azure allows VM’s in the same subnet to send traffic to each other( This is known as Intra subnet traffic).
*If you do not want VM’S in the same subnet to communicate with each other you have to set a rule that prevents all inbound and outbound traffic. This will prevent all the VM’s in the same subnet from communicating with each other.
Security rules in NSG are processed in priority order. The lowest being always processed first.
As a best practice when creating NSG rules it is always good to leave a gap of about 100 which will allow for future rules to be added without having to edit them later.
NSG PowerShell commands to know
https://learn.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecurityruleconfig?view=azps-11.2.0&viewFallbackFrom=azps-2.6.0
https://learn.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecuritygroup?view=azps-11.2.0&viewFallbackFrom=azps-2.6.0
https://learn.microsoft.com/en-us/powershell/module/az.network/new-aznetworksecuritygroup?view=azps-11.2.0&viewFallbackFrom=azps-2.6.0
https://learn.microsoft.com/en-us/powershell/module/az.network/new-aznetworksecurityruleconfig?view=azps-11.2.0&viewFallbackFrom=azps-2.6.0
*New-AzNetworkSecurityRuleConfig:
- This command creates an azure security rule configuration for a network security group
- New-AzNetworkSecurityGroup
- Command creates a network security group
*Set-AzNetworkSecurityRuleConfig
- Updates a network security rule configuration for a network security group
*Set-AzNetworkSecurityGroup
- Updates a network security group
Application security groups (ASG)
ASGs are used to simplify the management of NSG rules by grouping VMs based on their role or application membership.
- AGS allows segregation of VMS by type instead of by subnet
- Any NICS that are assigned to an ASG must exist on the same VNet to which the first NIC was assigned
Implement Azure Bastion
https://learn.microsoft.com/en-us/azure/bastion/quickstart-host-portal
https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
Azure Bastion is a fully managed PaaS service that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal.
Azure Bastions subnets only supports /26 or larger (/26, /25, or /24)
The default tier for this type of deployment is the Basic SKU:
When you deploy Bastion, you can use SSH or RDP to connect to virtual machines (VMs) in the virtual network via Bastion by using the private IP addresses of the VMs
- RDP connections using bastion service can only be made through a web browser - IE from azure portal
Azure Bastion SKU tiers
Basic and standard
Basic SKU:
Connect to linux using SSH But cant connect using RDP
Connect to windows using RDP but not SSH.
Standard:
Connect to linux using both SSH and RDP
Connect to windows using both SSH and RDP
Upload and download files
Connect to vm via IP
Connect to vm using CLI
Configure Service endpoint for PAAS
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Provides a secure and direct connectivity to azure services and virtual network using the azure backbone network , this eliminates the traffic going through the public internet
- Allows you to private connectivity between your azure services and virtual network.
- Eliminates the need for a public ip address
Service endpoint scenarios
- Peered, connected, or multiple virtual networks
To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, you can enable service endpoints on each of the subnets independently, and secure Azure service resources to all of the subnets. - Filtering outbound traffic from a virtual network to Azure services
If you want to inspect or filter the traffic sent to an Azure service from a virtual network
you can deploy a network virtual appliance within the virtual network.
You can then apply service endpoints to the subnet where the network virtual appliance is deployed, and secure Azure service resources only to this subnet
- Securing Azure resources to services deployed directly into virtual networks
- Disk traffic from an Azure virtual machine
Configure private endpoint for PAAS
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
https://learn.microsoft.com/en-us/azure/private-link/private-link-overview
https://learn.microsoft.com/en-us/azure/private-link/disable-private-link-service-network-policy?tabs=private-link-network-policy-powershell
A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that’s powered by Azure Private Link
Private Link:
Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network
The privateLinkServiceNetworkPolicies : disabled setting is configured automatically if you are using azure portal to create a private link service
This setting only applies for the specific private IP address you chose as the source IP of the Private Link service.
