Azure Resource Groups – NSGs

This post is part 2 of a small series and stems from this post https://marckean.com/2016/05/17/azure-resource-groups-networks/ This post discussed Azure Resource Groups and splitting all IaaS Azure resources across multiple Azure Resource Groups for an easy way to delete targeted resources and easy of delegating admin.

This post focuses on NSGs (Network Security Groups). A quick re-cap, with ARM based NSGs…

  • …you can apply a NSG to both a subnet or a NIC
  • The order of the NSG rules that are applied are NSG rules attached to a virtual network subnet and then a NIC. Once there’s a match, it takes that
  • Each NSG can contain up to 400 rules

As per our targeted architecture diagram below of what we’re building in Azure, I include a PowerShell script further below to fully setup two NSGs, one NSG that is attached to the DMZ subnet and the other NSG which will be attached to the Internal subnet.

ShowNetwork

#Log into both old and new Azure
LoginAzureRmAccount
#Choose subscription 'new' Azure
$subscription = (Get-AzureRmSubscription | Out-GridView Title "Select the Azure subscription that you want to use …" PassThru).SubscriptionName
Select-AzureRmSubscription SubscriptionName $subscription
##########################################################################
############################# NSG DMZ #############################
##########################################################################
$mode = "DMZ"
$RGName = "Show-NSG-$mode"
$location = "australiaeast"
####################### | Create the Resource Group | ####################### | @marckean
cls
Write-Host "`n`tCreating the target resource group $RGName (if it don't exist already)…" ForegroundColor Cyan
#region
if(!(Get-AzureRmResourceGroup Name $RGName Location $location ErrorAction SilentlyContinue)){
New-AzureRmResourceGroup Name $RGName Location $location Force}
$DemoNSGname = "Demo-NSG-$mode"
#Virtual Network
$vNetRGName = "Show-vNet"
### Create security rule allowing access from the Internet
$DMZrule1 = New-AzureRmNetworkSecurityRuleConfig `
Name rdpintrule `
Description "Allow RDP" `
Access Allow `
Protocol Tcp `
Direction Inbound `
Priority 100 `
SourceAddressPrefix Internet `
SourcePortRange * `
DestinationAddressPrefix * `
DestinationPortRange 65234
### Create security rule allowing access from the Internet
$DMZrule2 = New-AzureRmNetworkSecurityRuleConfig `
Name webintrule `
Description "Allow HTTP" `
Access Allow `
Protocol Tcp `
Direction Inbound `
Priority 101 `
SourceAddressPrefix Internet `
SourcePortRange * `
DestinationAddressPrefix * `
DestinationPortRange 80
### Add the rules to a new NSG
$nsg = New-AzureRmNetworkSecurityGroup ResourceGroupName $RGName Location $location Name $DemoNSGname SecurityRules $DMZrule1,$DMZrule2
### Select VNET
$vnetName = (Get-AzureRmVirtualNetwork ResourceGroupName $vNetRGName).Name | Out-GridView Title "Select an Azure VNET …" PassThru
$vnet = Get-AzureRmVirtualNetwork ResourceGroupName $vNetRGName Name $vnetName
### Select Subnet
$subnetName = $vnet.Subnets.Name | Out-GridView Title "Select an Azure Subnet …" PassThru
$subnet = $vnet.Subnets | Where-Object Name -eq $subnetName
### Associate NSG to selected Subnet
Set-AzureRmVirtualNetworkSubnetConfig VirtualNetwork $vnet Name $subnetName AddressPrefix $subnet.AddressPrefix NetworkSecurityGroup $nsg |
Set-AzureRmVirtualNetwork
##########################################################################
############################# NSG Int #############################
##########################################################################
$mode = "Int"
$RGName = "Show-NSG-$mode"
$location = "australiaeast"
####################### | Create the Resource Group | ####################### | @marckean
cls
Write-Host "`n`tCreating the target resource group $RGName (if it don't exist already)…" ForegroundColor Cyan
#region
if(!(Get-AzureRmResourceGroup Name $RGName Location $location ErrorAction SilentlyContinue)){
New-AzureRmResourceGroup Name $RGName Location $location Force}
$DemoNSGname = "Demo-NSG-$mode"
#Virtual Network
$vNetRGName = "Show-vNet"
### Create security rule allowing access from the Internet
$INTrule1 = New-AzureRmNetworkSecurityRuleConfig `
Name rdpintrule `
Description "Allow RDP" `
Access Allow `
Protocol Tcp `
Direction Inbound `
Priority 100 `
SourceAddressPrefix Internet `
SourcePortRange * `
DestinationAddressPrefix * `
DestinationPortRange 3389
### Create security rule allowing access from the Internet
$INTrule2 = New-AzureRmNetworkSecurityRuleConfig `
Name webintrule `
Description "Allow HTTP" `
Access Allow `
Protocol Tcp `
Direction Inbound `
Priority 101 `
SourceAddressPrefix Internet `
SourcePortRange * `
DestinationAddressPrefix * `
DestinationPortRange 80
### Add the rules to a new NSG
$nsg = New-AzureRmNetworkSecurityGroup ResourceGroupName $RGName Location $location Name $DemoNSGname SecurityRules $INTrule1,$INTrule2
### Select vNET
$vnetName = (Get-AzureRmVirtualNetwork ResourceGroupName $vNetRGName).Name | Out-GridView Title "Select an Azure VNET …" PassThru
$vnet = Get-AzureRmVirtualNetwork ResourceGroupName $vNetRGName Name $vnetName
### Select Subnet
$subnetName = $vnet.Subnets.Name | Out-GridView Title "Select an Azure Subnet …" PassThru
$subnet = $vnet.Subnets | Where-Object Name -eq $subnetName
### Associate NSG to selected Subnet
Set-AzureRmVirtualNetworkSubnetConfig VirtualNetwork $vnet Name $subnetName AddressPrefix $subnet.AddressPrefix NetworkSecurityGroup $nsg |
Set-AzureRmVirtualNetwork

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s