- Azure for Architects
- Ritesh Modi
- 349字
- 2021-07-02 13:17:16
Network Security Groups
The bare minimum of IaaS deployment consists of virtual machines and virtual networks. The virtual machines might be exposed to the internet by applying a public IP to its network interface, or it might be available to internal resources only. The internal resources in turn might be exposed to the internet. In any case, virtual machines should be secured so that unauthorized requests should not even reach them. Virtual machines should be secured using facilities that can filter requests on the network itself, rather than the requests reaching a virtual machine and it having to take action on them, such as ring-fencing virtual machines. This fence can allow or deny requests depending on their protocol, origin IP, destination IP, originating port, and destination port. This feature is deployed using the Azure Network Security Groups (NSGs) resource. NSG is composed of rules that are evaluated for both incoming and outgoing requests. Depending on the execution and evaluation of these rules, it is determined whether the requests should be allowed or denied access.
NSGs are flexible and can be applied to a virtual network subnet or individual network interfaces. When applying to a subnet, the security rules are applied to any resource, that is, virtual machines or load balancers on this subnet, while applying them to a network interface affects the requests only for that network interface. It is also possible to apply NSGs to both network subnets and network interfaces simultaneously. Typically, this design should be used to apply common security rules at the network subnet level, and unique security rules at the network interface level. It helps with the design of modular security rules and applications.
The flow for evaluating NSG is shown in the following diagram:
There are a few default rules provided by Azure out of the box. These are very important and come in handy when deployments want to use rules related to requests from/to the internet, virtual networks, and load balancers. Generally, IP addresses are constantly changing for these resources, and using these rules provides abstraction to use these IP addresses directly.