Azure Virtual Networks – Filtering traffic using NSG

Azure Virtual Networks – Filtering traffic using NSG

In last few posts, I have tried to cover basic concepts those would be required for hands on. If you want to have a look at them, below is the list:

In last post, we have created a virtual network and added two virtual machines in it. Now, let’s try to create a Network Security Group and then we will try to configure the security rule.

You would need to have an Azure account with an active subscription.  If you do not have it yet, you can create one for free. And then sign in to the Azure portal.

Create NSG

To create a new Network Security Group, search NSG in top menu search box and then select Network Security Group from the search results. It would open the list showing all existing NSGs.

If you have all steps in previous blogs, you might already have couple of NSGs created, one for each VM. That was because we kept the default options in the Networking tab and allowed to create NSG with default rules.

Let’s keep those couple of NSGs aside and let’s continue creation of new NSG. So, on the list showing all existing NSGs, click on Add to create a new NSG. It should open Create network security group wizard. Provide below inputs on that screen:

  • Subscription, the subscription under which you want to create this resource
  • Resource Group, use existing resource group blog_sample
  • Name, the name of new NSG
  • Region, where the NSG would be created. Keep this same as the region of virtual machines.

Then click on Review + Create button which would trigger validation of inputs. If validation is successful, you can click on Create button to start creation of resource.

Azure Portal: Create network security group wizard
Azure Portal: Create network security group wizard

Assign NSG to existing VM

The NSG would get created instantly as soon as you hit Create button. Next question is, how would you associate existing NSG with an existing VM ?

The NSGs are associated with network interfaces. So, if you want to change the NSG association, you can go to Network Interface of that VM and then change the NSG associated with Network Interface.

Below are steps:

  • Go to the resource group which contains the virtual machine.
  • Click on virtual machine and it would open a new blade showing details of virtual machine.
  • Then click on Networking option from the new blade, which would open details view on right side.
  • On the new right side blade, it would show the Network Interface assigned to the virtual machine.
  • Click on the Network Interface name. It would open new blade showing details of Network Interface details.
  • On Network Interface details blade, select Network security group and then Edit to change the NSG associated with VM.

As shown in the below snapshot, the Network Interface already has a NSG associated with it. You can click on Edit and then on the NSG name to select the newly created NSG. Do not forget to hit Save button to save the changes.

Azure Portal: Change NSG associated with Network Interface
Azure Portal: Change NSG associated with Network Interface

Default Rules

Below snapshot shows the default rules in the newly created NSG.

Azure Portal: Default rules created with newly created NSG
Azure Portal: Default rules created with newly created NSG

Add a security rule

Go to the resource group and click on the newly created NSG. This would show a new panel showing details of NSG. On the new panel, click on Inbound security rules from the left navigation on the new panel. It would show the default inbound rules. Then click on Add to add a new rule.

While adding a new rule, provide below inputs (as shown in snapshot):

Azure Portal: Deny ICMP from virtual network to virtual network rule
Azure Portal: Deny ICMP from virtual network to virtual network rule

When you click on Add, the new rule would be added instantly.

Let’s associate this NSG with demo-vm2 that we have created in previous article and restart the virtual machine after the association. Now if you try to ping demo-vm2 from demo-vm1, the ping will time out as ICMP packets are not allowed.

To restore the connection again, you can delete this new rule and restart demo-vm2.

I hope you found this helpful to understand how NSG can be used and how the security rules can be added in NSG. Let me know your thoughts.

Leave a Reply