Azure Resource Groups – NSGs

This post is part 2 of a small series and stems from this post https://marckean.com/2016/05/17/azure-resource-groups-networks/ This post discussed Azure Resource Groups and splitting all IaaS Azure resources across multiple Azure Resource Groups for an easy way to delete targeted resources and easy of delegating admin.

This post focuses on NSGs (Network Security Groups). A quick re-cap, with ARM based NSGs…

  • …you can apply a NSG to both a subnet or a NIC
  • The order of the NSG rules that are applied are NSG rules attached to a virtual network subnet and then a NIC. Once there’s a match, it takes that
  • Each NSG can contain up to 400 rules

As per our targeted architecture diagram below of what we’re building in Azure, I include a PowerShell script further below to fully setup two NSGs, one NSG that is attached to the DMZ subnet and the other NSG which will be attached to the Internal subnet.

ShowNetwork

#Log into both old and new Azure
Login-AzureRmAccount
 
#Choose subscription 'new' Azure
$subscription = (Get-AzureRmSubscription | Out-GridView -Title "Select the Azure subscription that you want to use ..." -PassThru).SubscriptionName
Select-AzureRmSubscription -SubscriptionName $subscription
 
##########################################################################
#############################    NSG DMZ     #############################
##########################################################################
 
$mode = "DMZ"
$RGName = "Show-NSG-$mode"
$location = "australiaeast"
 
####################### | Create the Resource Group | ####################### | @marckean
cls
Write-Host "`n`tCreating the target resource group $RGName (if it don't exist already)..." -ForegroundColor Cyan
#region
if(!(Get-AzureRmResourceGroup -Name $RGName -Location $location -ErrorAction SilentlyContinue)){
New-AzureRmResourceGroup -Name $RGName -Location $location -Force}
 
$DemoNSGname = "Demo-NSG-$mode"
#Virtual Network
$vNetRGName = "Show-vNet"
 
### Create security rule allowing access from the Internet
$DMZrule1 = New-AzureRmNetworkSecurityRuleConfig `
            -Name rdp-int-rule `
            -Description "Allow RDP" `
            -Access Allow `
            -Protocol Tcp `
            -Direction Inbound `
            -Priority 100 `
            -SourceAddressPrefix Internet `
            -SourcePortRange * `
            -DestinationAddressPrefix * `
            -DestinationPortRange 65234
 
### Create security rule allowing access from the Internet
$DMZrule2 = New-AzureRmNetworkSecurityRuleConfig `
            -Name web-int-rule `
            -Description "Allow HTTP" `
            -Access Allow `
            -Protocol Tcp `
            -Direction Inbound `
            -Priority 101 `
            -SourceAddressPrefix Internet `
            -SourcePortRange * `
            -DestinationAddressPrefix * `
            -DestinationPortRange 80
 
### Add the rules to a new NSG
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RGName -Location $location -Name $DemoNSGname -SecurityRules $DMZrule1,$DMZrule2
 
### Select VNET
$vnetName = (Get-AzureRmVirtualNetwork -ResourceGroupName $vNetRGName).Name | Out-GridView -Title "Select an Azure VNET …" -PassThru
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $vNetRGName -Name $vnetName
 
### Select Subnet
$subnetName = $vnet.Subnets.Name | Out-GridView -Title "Select an Azure Subnet …" -PassThru
$subnet = $vnet.Subnets | Where-Object Name -eq $subnetName
 
### Associate NSG to selected Subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName -AddressPrefix $subnet.AddressPrefix -NetworkSecurityGroup $nsg |
Set-AzureRmVirtualNetwork
 
##########################################################################
#############################    NSG Int     #############################
##########################################################################
 
$mode = "Int"
$RGName = "Show-NSG-$mode"
$location = "australiaeast"
 
####################### | Create the Resource Group | ####################### | @marckean
cls
Write-Host "`n`tCreating the target resource group $RGName (if it don't exist already)..." -ForegroundColor Cyan
#region
if(!(Get-AzureRmResourceGroup -Name $RGName -Location $location -ErrorAction SilentlyContinue)){
New-AzureRmResourceGroup -Name $RGName -Location $location -Force}
 
$DemoNSGname = "Demo-NSG-$mode"
#Virtual Network
$vNetRGName = "Show-vNet"
 
### Create security rule allowing access from the Internet
$INTrule1 = New-AzureRmNetworkSecurityRuleConfig `
            -Name rdp-int-rule `
            -Description "Allow RDP" `
            -Access Allow `
            -Protocol Tcp `
            -Direction Inbound `
            -Priority 100 `
            -SourceAddressPrefix Internet `
            -SourcePortRange * `
            -DestinationAddressPrefix * `
            -DestinationPortRange 3389
 
### Create security rule allowing access from the Internet
$INTrule2 = New-AzureRmNetworkSecurityRuleConfig `
            -Name web-int-rule `
            -Description "Allow HTTP" `
            -Access Allow `
            -Protocol Tcp `
            -Direction Inbound `
            -Priority 101 `
            -SourceAddressPrefix Internet `
            -SourcePortRange * `
            -DestinationAddressPrefix * `
            -DestinationPortRange 80
 
### Add the rules to a new NSG
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RGName -Location $location -Name $DemoNSGname -SecurityRules $INTrule1,$INTrule2
 
### Select vNET
$vnetName = (Get-AzureRmVirtualNetwork -ResourceGroupName $vNetRGName).Name | Out-GridView -Title "Select an Azure VNET …" -PassThru
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $vNetRGName -Name $vnetName
 
### Select Subnet
$subnetName = $vnet.Subnets.Name | Out-GridView -Title "Select an Azure Subnet …" -PassThru
$subnet = $vnet.Subnets | Where-Object Name -eq $subnetName
 
### Associate NSG to selected Subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnetName -AddressPrefix $subnet.AddressPrefix -NetworkSecurityGroup $nsg |
Set-AzureRmVirtualNetwork