Note: To complete this lab, you will need an Azure subscription. in which you have administrative access.
You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network. Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.
Architecture diagram
Skilling tasks
-
Create a network security group and security rules.
-
Create application security groups.
-
Create a virtual network and associate a network security group to a subnet.
-
Deploy virtual machines and associate their network interfaces to the application security groups.
-
Test traffic filters.
Exercise instructions
Create an azure resource group and virtual network.
Note: The following task creates a virtual network with a resource subnet.
-
Start a browser session and sign-in to the Azure portal menu.
-
In the search box at the top of the portal, type Virtual networks. Select Virtual networks in the search results.
-
On the Virtual networks page, select + Create.
-
On the Basics tab of Create virtual network, enter or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select Create new Enter az-rg-1 Select OK Instance details Virtual network name Enter vnet-1 Region Select (US) East US -
Select Next to proceed to the Security tab.
-
Select Next to proceed to the IP Addresses tab.
-
In the address space box in Subnets, select the default subnet.
-
In the address space box in Subnets, select the default subnet.
-
In Edit subnet, enter or select the following information:
Setting Value Subnet details Subnet template Leave the default Default Name Enter subnet-1 Starting address Leave the default of 10.0.0.0 Subnet size Leave the default of /24(256 addresses).
-
Select Save.
-
Select Review + create at the bottom of the screen, and when validation passes, select Create.
Create application security groups to enable you to group together servers with similar functions, such as web servers.
An application security group (ASGs) enables you to group together servers with similar functions, such as web servers.
-
In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results.
-
Select Create.
-
On the Basics tab of Create an application security group, enter or select this information:
Setting Value Project details Subscription Select your subscription. Resource group Select az-rg-1 Instance details Name Enter asg-web Region Select East US -
Select Review + create.
-
Select Create.
-
Repeat the previous steps, specifying the following values:
Setting Value Project details Subscription Select your subscription. Resource group Select az-rg-1 Instance details Name Enter asg-mgmt Region Select East US -
Select Review + create.
-
Select Create.
Create a network security groug to secure network traffic in your virtual network.
A network security group (NSG) secures network traffic in your virtual network.
- In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.
Note: In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups.
-
Select + Create.
-
On the Basics tab of Create network security group, enter or select this information:
Setting Value Project details Subscription Select your subscription. Resource group Select az-rg-1 Instance details Name Enter nsg-1 Region Select East US -
Select Review + create**.
-
Select Create.
Associate network security group to subnet
Note: In this task, you associate the network security group with the subnet of the virtual network you created earlier.
-
In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.
-
Select nsg-1.
-
Select Subnets from the Settings section of nsg-1.
-
In the Subnets page, select + Associate:
-
Under Associate subnet, select vnet-1 (az-rg-1) for Virtual network.
-
Select subnet-1 for Subnet, and then select OK.
Create security rules for the network security group with the subnet of the virtual network you created earlier.
-
Select Inbound security rules from the Settings section of nsg-1.
-
In Inbound security rules page, select + Add:
-
Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select this information:
Setting Value Source Leave the default of Any Source port ranges Leave the default of (*) Destination Select Application security group Destination application security groups Select asg-web Service Leave the default of Custom Destination port ranges Enter 80,443 Protocol Select TCP. Action Leave the default of Allow Priority Leave the default of 100 Name Enter allowweball -
Select Add.
-
Complete previuos steps with the following information:
Setting Value Source Leave the default of Any Source port ranges Leave the default of (*) Destination Select Application security group Destination application security group Select asg-mgmt Service Select RDP Destination port ranges Leave the default of 3389 Protocol Leave the default of TCP Action Leave the default of Allow Priority Leave the default of 110 Name Enter allowrdpall -
Select Add.
Create two virtual machines (VMs) in the virtual network you created earlier.
-
In the portal, search for and select Virtual machines.
-
In Virtual machines, select + Create, then Azure virtual machine.
-
In Create a virtual machine, enter or select this information in the Basics tab:
Setting Value Project details Susbcription Select your subscription Resource group Select az-rg-1 Instance details Virtual machine name Enter vm-1 Region Select (US) East US Availability options From the Availability Zone drop-down menu, select No infrastructure redundancy required Security type From the Security type drop-down menu, select Standard Image From the Image drop-down menu, select Windows Server 2022 Datacenter: Azure Edition - x64 Gen2 VM architecture Leave the default of x64 Run with Azure Spot discount Leave the default of unchecked Size Leave the default of Standard_D2s_v3-2 vcpus, 8 GiB memory Administrator account Authentication type Select Password Username Enter Tenantadmin1 Password Enter Superuser#150 Confirm password Reenter Superuser#150 Inbound port rules Public inbound ports Select None -
Select Next: Disks then **Next: Networking.
-
In the Networking tab, enter or select the following information:
Setting Value Network interface Virtual network Select vnet-1 Subnet Select default (10.0.0.0/24) Public IP Leave the default of a new public IP NIC network security group Select None -
Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
-
Select Create. The VM may take a few minutes to deploy.
-
Create the second virtual machine
-
Repeat the previous steps to create a second virtual machine named vm-2.
-
Wait for the VMs to complete deployment before advancing to the next section.
-
Associate network interfaces to an application security group
Note: When you created the VMs, Azure created a network interface for each VM, and attached it to the VM. Add the network interface of each VM to one of the application security groups you created previously:
-
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.
-
Select vm-1
-
Select Networking from the section of vm-1
-
Select the Application security groups tab, then select Configure the application security groups
-
From the Configure the Application Security Groups template, select asg-mgmt from the Application Security Groups drop-down menu, and then click the Save icon at the top of the template page.
- Repeat previous steps for vm-2, selecting asg-web in the Application security groups pull-down menu.
Results: You have created a created a virtual network infrastructure and filtered network traffic with a network security group using the Azure portal.
Note: Please do not remove the resources from this lab, as they are necessary for the following exercises: Exercise 03b - Enabling Just-in-Time Access on VMs, Exercise 05a - Configuring Key Vault Firewall and Virtual Networks, and Exercise 05b - Configuring Azure Key Vault Recovery Management with Soft Delete and Purge Protection.