Network Security Groups (NSGs) and Application Security Groups (ASGs) are crucial components in the fortress of security mechanisms provided by Microsoft Azure. Establishing and configuring these allow administrators a granular level of control over traffic flow, substantially enhancing the security of their Azure resources.
Network Security Groups (NSGs)
A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). Each rule in an NSG is made up of a priority, source, protocol, destination port range, and action. Given their significance in controlling traffic, understanding how to create and configure NSGs is pivotal for anyone preparing for the AZ-104 Microsoft Azure Administrator exam.
Creating and Configuring NSGs:
To create an NSG using Azure portal, follow these steps:
- Log in to the Azure portal, select ‘Create a resource’, then select ‘Networking’ > ‘Network security group’.
- Provide the necessary information: Name the NSG, select the Azure Subscription, resource group, and location.
- Click ‘Create’.
Below is the PowerShell command to create an NSG:
New-AzNetworkSecurityGroup -ResourceGroupName “ExampleRg” -Location “East US” -Name “exampleNsg”
After creating an NSG, you can begin defining security rules. Navigate to your NSG in the portal, select ‘Inbound security rules’ or ‘Outbound security rules’, then ‘Add’. Fill in the information required, then click ‘Add’.
Regarding priority, a lower number indicates a higher priority. Make sure to plan your numbering scheme correctly, as Azure applies the rule with the lowest number (highest priority) that applies to the situation.
Application Security Groups (ASGs)
While NSGs regulate traffic based on IP addresses and ports, Application Security Groups (ASGs) offer a more advanced layer of traffic control based on applications’ characteristics, simplifying security management for applications with a large number of servers.
Creating and Configuring ASGs:
To create an ASG, follow these steps:
- Log in to the Azure portal, then select ‘+ Create a resource’.
- In the ‘Search the Marketplace’ box, type ‘Application security group’ and select it.
- Click ‘Create’, type the name of the new ASG, then choose the subscription, resource group, and location.
- Click ‘Create’.
Below is the PowerShell command to create an ASG:
New-AzApplicationSecurityGroup -Name “exampleAsg” -ResourceGroupName “ExampleRg” -Location “East US”
Once your ASG is created, you can assign it to the network interfaces of virtual machines. Navigate to the virtual machine that you want to assign the ASG to, select ‘Networking’, then select the network interface. In the ‘Settings’ menu, select ‘Application security groups’, then ‘Configure the application security groups’, and select the ASG you created.
In conclusion, NSGs and ASGs are powerful tools for securing your network resources on Azure and are crucial knowledge areas for the AZ-104 Microsoft Azure Administrator exam. While NSGs help govern traffic flow based on IP addresses and ports, ASGs bring application-based traffic management into play, drastically simplifying the process for larger applications. Together, they can create a resilient shield to protect your Azure resources.
Practice Test
True or False: Network Security Groups (NSGs) in Azure can be associated with both subnets and individual network interfaces attached to virtual machines.
- Answer: True
Explanation: NSGs can be associated with either subnets or individual network interfaces attached to virtual machines, providing flexibility to have different rulesets for different scopes within Azure.
Which of the following is NOT a feature of Application Security Groups (ASGs) in Azure?
- a) Efficient network security policy management
- b) Allows grouping of servers with similar port filtering requirements
- c) Allows grouping of servers with similar storage requirements
- d) Simplification of the security rules management
Answer: c) Allows grouping of servers with similar storage requirements
Explanation: ASGs in Azure are used for grouping servers with similar network security policy requirements, not for storage requirement.
True or False: By default, Azure creates an NSG when you create a VM but does not create any inbound or outbound security rules.
- Answer: False
Explanation: By default, Azure creates an NSG with some rules when you create a VM to allow RDP/SSH access and Internet connectivity.
NSGs in Azure contains rules that allow or deny traffic to resources based on ____
- a) Protocol
- b) Source and destination IP address
- c) Source and destination port
- d) All of the above
Answer: d) All of the above
Explanation: NSG rules in Azure contains allow or deny incoming network traffic based on source and destination IP address, port, and protocol.
You can use NSGs in Azure to filter traffic to and from Azure resources in an Azure virtual network. Which Azure object can you associate with NSGs?
- a) A single resource
- b) One or more subnets
- c) One or more network interfaces
- d) Both b) and c)
Answer: d) Both b) and c)
Explanation: NSGs can be associated with either subnets within the Virtual network or individual network interfaces attached to the virtual machines.
True or False: Azure automatically configures a network interface when you create a VM.
- Answer: True
Explanation: When you define a VM, Azure creates and attaches a new network interface with default settings.
You are viewing the list of inbound security rules for your network security group. The Priority column lists numbers from 100 to A rule with Priority 100 indicates ____
- a) A lower priority rule
- b) A higher priority rule
Answer: b) A higher priority rule
Explanation: The lower the number in the Priority field, the higher the priority of the rule. Priority 100 takes precedence over Priority
Which Azure service allows you to group virtual machines and define network security policies based on those groups?
- a) Azure Networking
- b) Azure Application Security Groups
- c) Azure Security Center
- d) Azure Active Directory
Answer: b) Azure Application Security Groups
Explanation: Azure ASG is used to group VMs and define network security policies based on those groups.
True or False: Both NSGs and ASGs can be used to filter and control inbound and outbound traffic in an Azure virtual network.
- Answer: True
Explanation: Both NSGs and ASGs can be used to control inbound and outbound traffic, providing a strategy to filter the type of traffic that can flow in and out of Azure virtual networks.
How many NSGs can you associate with a subnet in Azure?
- a) One
- b) Two
- c) Three
- d) Four
Answer: a) One
Explanation: Only one NSG can be associated with a subnet in Azure.
Interview Questions
What is the purpose of Network Security Groups (NSGs) in Microsoft Azure?
Network Security Groups (NSGs) are used to filter network traffic to and from Azure resources within an Azure virtual network.
What are the two types of security rules that can be associated with a Network Security Group (NSG)?
The two types of security rules associated with a NSG are inbound security rules and outbound security rules.
What is the role of an Application Security Group (ASG) in Azure?
Application Security Groups (ASGs) in Azure are used to group virtual machines and define network security policies based on those groups.
Can you provide an example of when to use an Application Security Group (ASG)?
ASGs might be used when different tiers of a multi-tier application are deployed onto a single subnet. It can be used to help keep security rules consistent even as virtual machines are added or removed.
How many Network Security Groups (NSGs) can you apply to a network interface?
Only one Network Security Group can be applied to a network interface.
What are the five tuple elements that rules of a Network Security Group consist of?
The five tuple elements in a Network Security Group are source IP address, source port, destination IP address, destination port, and protocol.
Can you edit or delete default security rules in a Network Security Group?
No, default security rules in a Network Security Group cannot be deleted or edited.
What happens when both a subnet and network interface have a Network Security Group associated with them?
Both Network Security Groups are applied to the network traffic, starting with the network interface and then followed by the subnet.
How is traffic allowed or denied in Network Security Groups and Application Security Groups?
Traffic is allowed or denied in NSGs and ASGs based on the priority of the rules. The rules are processed in priority order, with lower numbers processed before higher numbers.
Which ports must be open for Azure Load Balancer and Azure Application Gateway?
Port 1688 (for KMS), port 1194 (for VPN), port 8200-8202 (for service fabric), and port 53 (for DNS) should be open for Azure Load Balancer and Azure Application Gateway.
Can you apply both Network Security Groups and Application Security Groups to the same resource?
Yes, you can apply one Network Security Group and multiple Application Security Groups to a resource such as a virtual network interface.
Can you provide an example of how to use tags with NSGs to simplify management?
Tags can be applied to NSGs to categorize them based on risk profile, security level, or department. This can make it easier to filter and manage the rules associated with each NSG.
What happens when two rules in an NSG conflict?
When there is a conflict between two rules in an NSG, the rule with the lower priority number is processed first. Consequently, the rule with the higher number does not take effect.
What tools can you use to troubleshoot Network Security Group rule synergies?
You can use tools like Azure Network Watcher’s NSG flow logs or Azure Advisor to troubleshoot Network Security Group rules.
What is the protocol “Any” when configuring a NSG rule?
The protocol “Any” refers to allowing any transport protocol, including TCP, UDP and others.