Note: To complete this lab, you will need an Azure subscription. in which you have administrative access.

You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network. Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.

Architecture diagram

image

Skilling tasks

  • Create a network security group and security rules.

  • Create application security groups.

  • Create a virtual network and associate a network security group to a subnet.

  • Deploy virtual machines and associate their network interfaces to the application security groups.

  • Test traffic filters.

Exercise instructions

Create an azure resource group and virtual network.

Note: The following task creates a virtual network with a resource subnet.

  1. Start a browser session and sign-in to the Azure portal menu.

  2. In the search box at the top of the portal, type Virtual networks. Select Virtual networks in the search results.

  3. On the Virtual networks page, select + Create.

  4. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details  
    Subscription Select your subscription.
    Resource group Select Create new Enter az-rg-1 Select OK
    Instance details  
    Virtual network name Enter vnet-1
    Region Select (US) East US

  5. Select Next to proceed to the Security tab.

  6. Select Next to proceed to the IP Addresses tab.

  7. In the address space box in Subnets, select the default subnet.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details  
    Subnet template Leave the default Default
    Name Enter subnet-1
    Starting address Leave the default of 10.0.0.0
    Subnet size Leave the default of /24(256 addresses).

image

  1. Select Save.

  2. Select Review + create at the bottom of the screen, and when validation passes, select Create.

Create application security groups to enable you to group together servers with similar functions, such as web servers.

An application security group (ASGs) enables you to group together servers with similar functions, such as web servers.

  1. In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results.

  2. Select Create.

  3. On the Basics tab of Create an application security group, enter or select this information:

    Setting Value
    Project details  
    Subscription Select your subscription.
    Resource group Select az-rg-1
    Instance details  
    Name Enter asg-web
    Region Select East US

  4. Select Review + create.

  5. Select Create.

  6. Repeat the previous steps, specifying the following values:

    Setting Value
    Project details  
    Subscription Select your subscription.
    Resource group Select az-rg-1
    Instance details  
    Name Enter asg-mgmt
    Region Select East US

  7. Select Review + create.

  8. Select Create.

Create a network security groug to secure network traffic in your virtual network.

A network security group (NSG) secures network traffic in your virtual network.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

Note: In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups.

  1. Select + Create.

  2. On the Basics tab of Create network security group, enter or select this information:

    Setting Value
    Project details  
    Subscription Select your subscription.
    Resource group Select az-rg-1
    Instance details  
    Name Enter nsg-1
    Region Select East US

  3. Select Review + create**.

  4. Select Create.

Associate network security group to subnet

Note: In this task, you associate the network security group with the subnet of the virtual network you created earlier.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

  2. Select nsg-1.

  3. Select Subnets from the Settings section of nsg-1.

  4. In the Subnets page, select + Associate:

image

  1. Under Associate subnet, select vnet-1 (az-rg-1) for Virtual network.

  2. Select subnet-1 for Subnet, and then select OK.

Create security rules for the network security group with the subnet of the virtual network you created earlier.

  1. Select Inbound security rules from the Settings section of nsg-1.

  2. In Inbound security rules page, select + Add:

  3. Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select this information:

    Setting Value
    Source Leave the default of Any
    Source port ranges Leave the default of (*)
    Destination Select Application security group
    Destination application security groups Select asg-web
    Service Leave the default of Custom
    Destination port ranges Enter 80,443
    Protocol Select TCP.
    Action Leave the default of Allow
    Priority Leave the default of 100
    Name Enter allowweball

  4. Select Add.

  5. Complete previuos steps with the following information:

    Setting Value
    Source Leave the default of Any
    Source port ranges Leave the default of (*)
    Destination Select Application security group
    Destination application security group Select asg-mgmt
    Service Select RDP
    Destination port ranges Leave the default of 3389
    Protocol Leave the default of TCP
    Action Leave the default of Allow
    Priority Leave the default of 110
    Name Enter allowrdpall

  6. Select Add.

Create two virtual machines (VMs) in the virtual network you created earlier.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. In Create a virtual machine, enter or select this information in the Basics tab:

    Setting Value
    Project details  
    Susbcription Select your subscription
    Resource group Select az-rg-1
    Instance details  
    Virtual machine name Enter vm-1
    Region Select (US) East US
    Availability options From the Availability Zone drop-down menu, select No infrastructure redundancy required
    Security type From the Security type drop-down menu, select Standard
    Image From the Image drop-down menu, select Windows Server 2022 Datacenter: Azure Edition - x64 Gen2
    VM architecture Leave the default of x64
    Run with Azure Spot discount Leave the default of unchecked
    Size Leave the default of Standard_D2s_v3-2 vcpus, 8 GiB memory
    Administrator account  
    Authentication type Select Password
    Username Enter Tenantadmin1
    Password Enter Superuser#150
    Confirm password Reenter Superuser#150
    Inbound port rules  
    Public inbound ports Select None

  4. Select Next: Disks then **Next: Networking.

  5. In the Networking tab, enter or select the following information:

    Setting Value
    Network interface  
    Virtual network Select vnet-1
    Subnet Select default (10.0.0.0/24)
    Public IP Leave the default of a new public IP
    NIC network security group Select None

  6. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  7. Select Create. The VM may take a few minutes to deploy.

    • Create the second virtual machine

    • Repeat the previous steps to create a second virtual machine named vm-2.

    • Wait for the VMs to complete deployment before advancing to the next section.

Associate network interfaces to an application security group

Note: When you created the VMs, Azure created a network interface for each VM, and attached it to the VM. Add the network interface of each VM to one of the application security groups you created previously:

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1

  3. Select Networking from the section of vm-1

  4. Select the Application security groups tab, then select Configure the application security groups

  5. From the Configure the Application Security Groups template, select asg-mgmt from the Application Security Groups drop-down menu, and then click the Save icon at the top of the template page.

image

  1. Repeat previous steps for vm-2, selecting asg-web in the Application security groups pull-down menu.

Results: You have created a created a virtual network infrastructure and filtered network traffic with a network security group using the Azure portal.

Note: Please do not remove the resources from this lab, as they are necessary for the following exercises: Exercise 03b - Enabling Just-in-Time Access on VMs, Exercise 05a - Configuring Key Vault Firewall and Virtual Networks, and Exercise 05b - Configuring Azure Key Vault Recovery Management with Soft Delete and Purge Protection.