AZ-900 Episode 21 | Azure Security Groups | Network and Application Security Groups (NSG, ASG)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Security network connectivity is one of the most important tasks when building infrastructure in Azure. Today on Azure Fundamentals we explore how Network and Application Security Groups (NSG, ASG) help us with those challenges.

📺 Video: https://youtu.be/w8H5fWBHddA

🌐 Site: https://marczak.io/az-900/#ep21

🧠 Practice Test https://marczak.io/az-900/episode-21/practice-test

👍︎︎ 2 👤︎︎ u/AdamMarczakIO 📅︎︎ Oct 05 2020 🗫︎ replies

I like your channel. I am thinking of getting this cert soon.

👍︎︎ 4 👤︎︎ u/[deleted] 📅︎︎ Oct 05 2020 🗫︎ replies

Thank you for your courses! I just bought the AZ-900 cert, and your website/videos seem like a great place to pass this exam.

👍︎︎ 2 👤︎︎ u/NLonSec 📅︎︎ Oct 05 2020 🗫︎ replies

Captions

hello guys welcome back it's adam and in this episode we'll be focusing on securing our virtual networks in azure with something called security groups stay tuned [Music] this is our first episode in the module 3 which is all about building secure applications in azure and today our focus is network security groups and application security groups so let's start with network security groups it is always easier to imagine how something works in azure with a scenario let's say we have four servers two to handle web application traffic one server to handle the business logic and one more server to host our database depending on our architectural decisions we can divide those into subnets for example have one subnet for all the microservices and web application traffic and another subnet to handle our data tier applications and since those are subnets they need to reside within a virtual network if we create infrastructure like this and we don't do anything else all the traffic coming from the internet will be allowed to all of these servers additionally all the traffic between these servers will be allowed therefore everything can communicate with everything but in our scenario this is something we don't want to happen because our internet traffic should not be reaching our database and not all of these services should be able to communicate with each other and this is where network security groups come in handy for instance place network security group on the first subnet allowing traffic from the internet to reach our web tier services and by creating network security group on the second subnet we can block the traffic coming from the internet but still allow the traffic coming from our own services let me go to azure portal where i'll show you how network security groups work let's navigate to my resource group where i created a virtual machine in one of our previous episodes in here i have my am demo vm that i will want to connect to right now as it stands i can connect to this virtual machine i can prove this to you by going to the second screen where i have opened my remote desktop connection manager allowing me to quickly connect to this virtual machine as you can see because of the current network configuration i'm able to connect to this virtual machine with no problem so let's disconnect from the server for now and let's go back to azure portal where i will navigate to my network security group resource this is the place where i can manage all the networking rules for my virtual machine let me navigate to inbound security rules this is the place where we can manage all the rules for the incoming traffic to our server in this case there's a rule called rdp which allows all the traffic coming from the port 3389 which is the port used by red mode desktop protocol if i would go to this rule and simply delete it then in just few moments my traffic will be disabled and i will no longer be able to connect to this virtual machine now if i go back to my remote desktop connection manager and try to connect to this virtual machine for a moment it will try to connect and then fail with an error message that we no longer can connect to this virtual machine after a few seconds we get a message this is because there are no rules currently allowing the inbound connectivity over rdp port to our virtual machine so let me show you how to add a new network security group rule in order to allow remote desktop connectivity to the server let's hit on add button to create new rule in the source we can select any which means anyone across the planet from any ap you can either also select ip addresses to allow specific ip addresses to connect service tag is a specific service category within azure or application security group is something that we'll talk in just a second for now let's select any any means anyone from anywhere on the planet on any port which is this star the destination any that means anything protected by this network security groups but the important part is the port in case of remote desktop connection protocol this is free 389 which is the port used by the remote desktop and the protocol used by remote desktop is tcp so we can narrow this down even further the action is allowed so let's allow this type of flow to go through our network security group in case of priority we leave it as hundred you should not worry about this too much for this episode but in general rules within network security groups are evaluated based on their priority and lastly you can add a name and description to give some more meaning to this specific rule for example call it allow rdp which will let us know what this rule does without a need to inspect a configuration of this specific rule rule has been created we can refresh the page to see new rule we can also see exclamation mark next to our rdp rule this is because based on microsoft recommendation and in general based on security recommendations you should not open your rdp connectivity to entire world you should target always specific servers and specific ip ranges but for now for testing this is fine and if i go back to my machine and try to connect again i should be able to connect in just a second so as you can see with the network security groups management of the traffic and the flow of the traffic for our virtual network is fairly simple so to summarize network security groups are designed to filter the traffic that is going to and from azure resources that are located within a virtual network all the filtering for network security groups is done by something called rules and you can have multiple rules for both incoming and outgoing traffic and the rules themselves are created by specifying source and the destination by using ip ranges service tags or application security groups additionally specifying the protocol tcp udp or any you can also specify port or port ranges allowing you to only target specific services for example rdp is 3389 whereas https traffic is 4 for free so you can allow only specific service to connect to your machines and with direction you can control whether this rule is evaluated for incoming or outgoing traffic lastly you can add priority which allows you to define and control the rule evaluation order giving you full range of control and flexibility as to which traffic will be allowed to go through and which one will be rejected but in azure there's one more resource called application security groups which helps us with management of our traffic even further let's go back to the scenario that i drew before in this case let's say that our final configuration will allow the traffic going from the internet to our web services then block the traffic from the internet to our logic server so that only our web applications can connect to the services handling the business logic and then further this allow the internet traffic going to the database server only allowing the business logic web service to call the database servers and block the traffic from the web services directly to database so that we will end up with this kind of flow so that the internet traffic only reaches our web servers web servers will communicate with the business logic servers and business logic servers communicate with our database right now to achieve this using network security groups we would need to use static ips of those machines in each single rule and manage this manually this of course means a lot of maintenance effort you can solve this challenge by using application security groups grouping your servers by their business purpose and then using those application security groups instead of those static ips in your network security rules so application security groups is really a feature that allows you to group your virtual machines that are located within your azure virtual network and use that to reduce the effort required to maintain network security group rules by assigning application security groups instead of explicit ip addresses to summarize today we'll learn about network security groups allowing us to filter incoming and outgoing traffic from our virtual network resources and additionally we've learned about application security groups a feature that allows us to group our virtual network resources logically and then use those logical groupings inside of network security group rules all the materials for this episode are found under episode 21 on my website now that we know how to secure our azure networks next up i will talk about how to create our own custom routing tables so definitely check this one out if you want to follow to the next episode simply hit the icon on the side or follow the playlist if you like my work support the channel by subscribing liking and commenting and see in the next one you

Info

Channel: Adam Marczak - Azure for Everyone

Views: 69,937

Rating: undefined out of 5

Keywords: AZ-900, Microsoft Azure, Microsoft Azure Fundamentals, Azure Fundamentals, Full Course, Certification, Exam, az 900, nsg, asg, application security group, networksecurity group

Id: w8H5fWBHddA

Channel Id: undefined

Length: 8min 42sec (522 seconds)

Published: Mon Oct 05 2020