Azure Network Security Groups | Azure NSG | Azure Security Groups | NSG in Azure | Security Groups

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
uh welcome back to this another lesson in our series of azure virtual networking in this chapter we are going to learn one of the very important security component of your vnet that is network security groups in this video i'm going to talk about what is a network security group and then we will see about the network security rule security group rules or security rules in short we'll see what are the default ones and what are the customized ones which will make and in the last i have put up relevant key characteristics or the pointers about network security groups which would be very helpful for you if you are preparing for your certification exams or as well as if you are preparing for an interview so watch it till the last guys let's begin so first of all what is a sick network security group it's a kind of a virtual firewall which contains your security rules and based on these rules you will allow or deny inbound or outbound traffic to your resources or your virtual machines now your energy can be associated at a subnet level basically which is a recommended level also which makes your management bit easy and when you apply nsg at a subnet level it can restrict traffic flow to all the machines which resides in that subnet you can also have an option to apply network security groups at the nic or the network interface level if you assign nic at that level then the all the traffic that flows through that nick would be controlled by the nsg roles or that network security group rules from your portal itself will find out whether your network security group is associated with submit subnets or network interfaces now let's see how does an nsg work so if you see we have a v-net here and in that minute i have got two different subnets web subnet and subnet app let's start about from the vm3 or the subnet app where we can see we have a rule which says allow http tcp port at tcp port 80 and we can see we have a energy at a neck level so whatever traffic flows through that make it would be based on the rule which is there and which is applied at this network security group so if the traffic goes to port number 80 it would be allowed otherwise the traffic would be denied now let's see what happens when we have a combination of network security groups which where we can see we have a security group applied at a subnet level as well as ever at a nic level so in this scenario whatever traffic comes in i mean the inbound traffic it would be first evaluated against the rules which is there on the subnet level network security group once it passes through let's see your network security group at subnet level allows http traffic at port 80 then it reaches to network security group which is applied at a nic level here again the traffic would be evaluated across diff rules specified in this network security group if the traffic is allowed for http port 80 then it would be reaching to your virtual machine vm one as it will be dropped in the second scenario where we have vm 2 and it does not have any network security group at a neck level whatever rules we have at the subnet level that would be applicable here if it is allowed at network security group which is at a subnet level then the traffic would be reaching to the vm too for the outbound traffic also when it leaves the vm1 it will first be evaluated against the rule which is at the neck level and then it reaches to the network security group at the subnet level and it would be evaluated again so that's how your rules work and well there are certain priorities which has to be set here and once a rule matches a set configuration there will be no further evaluation happening so let's jump into the portal and see how does it work here if it is not frequently used items or you can search one for here you can just type network security google click start showing up here that's gonna sit here so we have about a one which is already there i'll talk about it in a little bit time let's let me quickly create a new sec article for this demonstration uh this is going to make its uh this is my subscription and now i need to choose my resource group give it a name let me call it kind of a demo nsg one right uh region would remain same uh i'm skipping the tags here click review and create it will go for the final validation when it has been passed click on create and this is a rule where i have not added i mean this is a network security group where i have not added anything so it should not take much time and it would be quickly ready so by default every network security group will have three inbound security rules and three outbound security rules so these are my three inbound default security rules and if you just click on here you can see there is nothing customized here so click on our default rules and we have three security rules one is allow v-net inbound which allows all the traffic within the virtual network within the same virtual network all the traffic is allowed and that's the reason in a single we need all the virtual machines doesn't matter how many subnets there are they would be able to talk to each other similarly all the traffic coming in from your azure load balancer would be allowed other than these two anything would be denied if you see there's a periodic number given here so higher the lower the number the highest would be the priority and as soon as a match is found for the configuration further evaluation will be stopped similarly we have an outbound security rules and all virtual traffic all traffic to the virtual networks as well as all traffic to the internet would be by default allowed other than that everything would be denied so these are my default rules and as currently it is not attached associated with any of the nic or as to the subnet these uh this network security group would be affecting anyone so let's see i have already prepared a server for this uh demonstration if i click on virtual machine and this is my server and this is its public on private ip addresses and i'll show you what the configuration is currently let's go to network washer go to topology let me select my resource group if you look at it here so we have the server and where we have this server one nsg that is a network security group which got created along with the creation of this uh server and it has been attached to this nic you can see that it's there's nothing which is at the subnet level so we have our security group network security group at a nic level so i'm going to show you what kind of rules we have so if you look at it here inbound security rules i this is the default ones again so there's nothing which allows an rdp here so i won't be able to rdp its machine because the inbound security tools just do not have any rule for that so let's try connecting to this if i go there let go to my virtual machine and let me pick up the ip address from here this is the public ipads which we can use and if i try to rdp it should not be going through if i go and put it here click on connect and see it will initiate a remote connection but it's now it's not going to go through so i'm going to cancel it and i'm going to cancel this also i'm going to home now if i need to allow rdp to this virtual machine what i need to do is i need to go to the network security groups this one was attached at the nic level so what i'm going to do is inbound security rules add a rule here now you need to select a source source can be any where you will allow anyone on this planet to come inside you can also opt for certain ip addresses range or ip addresses you can see here you can specific you can pick up a specific ip or a range you can also offer a service tag service stacks are a kind of an ip ranges or ip uh management tags which microsoft creates and manages for you for all those microsoft services which are running so these are the tags you can have internet watch network azure load balancer api management all these services are listed here a lot of services are listed so if you select a service tag and if any changes happening in the background this these in these services your service tag will be automatically updated and that would ease your management of the network security rules so whenever possible and feasible try to use service tags then for this purpose as i'm coming from the outside of the internet so i'm going to select any my source port range would be any destination i'm just keeping it and all this is not a recommended method but still i'm going to do this and the port would be three three eight nine so if i say three three eight nine it would be tcp um allowing an action to uh let me in on for this rdp thing here you can define a priority this priority can be from 100 to 4096 that should be the total uh number as you can see here though any number between these two would be applicable so i'm going to keep it at let's say 200 right then give it a name give it a meaningful name which can let you know that what would be the purpose of this network security i'll say is allow rdp right you can put a description also to do to describe this and click on gonna add so it's creating a security rule also remember that network security groups are stateful and once you allow an inbind inbound traffic the outbound traffic would be automatically allowed right so let's it says created security rule i'm gonna go and see how does it whether it's working or not i'm gonna do the rdp again so this was rdp let me put my ip address click on connect and this time i'm pretty sure that it would allow me to go in so you can see that rule has been updated here in the background our rdp session so now when we log into this machine i would like to show you something that it is i also made it this is kind of a web server so let's see if i just put up uh try to browse my local host it's an is server where i put up a website right so it's going to our website i'm going to close this let's see how does it work when i reach to the browser here so this is my virtual machine again i need to copy that thing if i try to see to access this website it should not work here because i have not allowed and there's no port here which is working on listening on that but specific uh for that http traffic it will not work so i'm gonna just stop it so let's see how we can make it work let's again go back to the network security groups this time i'm gonna go for demo and sg1 because i want to show how you can attach or associate this thing to the then let's go to subnet i'm gonna sorry i'm gonna connect it to or associate as subnet level so click on associate find your virtual network look for your subnet this is a web subnet i'm going to click on ok although i have associated with that web subnet but there's no rule as such which can help us to browse our website right see there's nothing there okay so let's add a rule here um again i'm making it any also you can either can select service tag of internet but i just i'll stick with anything destination any and the port would be 80. so i'm going to make it 80 port number port number uh protocol it's tcp i'm allowing an action and i'm making it let's say 300 i'm saying allow http allow http click on add so i'm adding this rule now if i go back to the home and go to the network watcher and if i select my topology i want to show you something this is my demo one and if you look at it now i have got this demo energy attached at the subnet level so you you understand how does it work the traffic will come it will first get evaluated with this subnet level nsg that is demo one which allows http at port 80 then we have another nsg that is not allowing port 80 so the traffic because it has it will get evaluate evaluated at two different levels so it will not still reach here so what i need to do we need to either remove this one or we need to add a rule to it right so let's see how we can add a role to it click on here go to your inbound rules and click on add here we add the same rule here i'm just making it 80 tcp i'm allowing it and giving a priority of 210 and again i'm saying allow nick http click on add it has been added here refresh here if i want to hide my default rules you can see i have a two default tools array which is allow rdp in allowing http now if i go back to my home and go to security groups i would like to show you something if i look at the demo nsg and if you hide this one i have only allow http here so you must be wondering i'm not allowing rdp here yes if uh currently the connection is going on so it will not be interrupted but once i if i do not change this to this rule and add an rdp here and i disconnect this session this will not allow me to do the rdp and why so because at this level you can see that rules i mean the traffic would be evaluated at this level first which does not allow an rdp but now uh what we are doing we are checking for the http so we have allowed http here and port 80 here as well so let's see whether it works or not now you know this copy yes there let's go there and see it's working right so it's working we can see how we can change the uh default rules or or overwrite the default rules with the less priority or less number of route less roll number or lower school number which has got higher priority so that's about how you can create another thing which i want to show you if you click go and create a virtual machine let's say click on add here click on virtual machine and if you just let's say demo one and give any name let's say vm 3 or vm sorry vm3 uh i don't want any availability let's go for 2016 again and if i just say it's the user and we have got a super strong password here okay i forgot okay and if you allow selected ports here so what what are you currently doing here you are allowing a rule at a unique level of nsg so remember that whatever you select here that would be a and rule it would be inserted in nsg which would be at a nic level right now if you go further next desk networking and if you come here here also you get an option to allow a next security group right so what you can do either you can select none or basic or advanced if you select advanced you get an option whether you want if you want you can select an existing risk network security group or you can give it a new name so this would be a vm three energy and that would be applicable at a nic level if you continue with the same configuration so that's all how you can create manage and change your or the configuration of your network security group let's talk about some of the key characteristics of the network security groups so if we go further so this pointer would help you to manage your certification exam as well as interviews so you should remember that your network security group will contain security rules that will allow you to or deny network inbound or outbound traffic to your azure resources nsgs are assigned to a network interface or a subnet level when you assign energy to a subnet the rules apply to all network interfaces in that subnet each subnet and network interface can have one energy applied it very important to remember your energy will support tcp udp and icmp and it operates at layer 4 of the osi model again very important to remember then with the energy the connections are stateful guys remember that return traffic would automatically be allowed for the same tcptp session several default security rules created by azure when within each nsg and which you cannot remove but you can override them with the rules of a higher priority you can add more rules by specifying name of the rule giving a priority which is a number from 100 to 4096 lower the number and the rule will have the higher priority and a port protocol source destination and what action whether you want to allow or deny basically this is called uh five tuple hash so this is what you can remember with then once the condition of a rule matches the energy con the network security group configuration rule processing or evaluation stops further rules will not be checked that they are allowing or denying right that's how guys that's all about your network security group thanks for watching
Info
Channel: BeCloudGuru
Views: 3,232
Rating: undefined out of 5
Keywords: Azure Network Security Groups, Azure NSG, Azure Security Groups, NSG in Azure, Security Groups in Azure, NSG, ASG, Security Rules, Default Security Rules, Customized Security Rules, Important points for Azure AZ-104 Exam, Azure Fundamentals AZ-900, For Azure Interviews
Id: f7sTlsjcaxw
Channel Id: undefined
Length: 18min 24sec (1104 seconds)
Published: Sun Dec 27 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.