What is Network Security Group?

• Network security group (NSG) is merely a set of access control rules that can be wrapped around a virtual network or a subnet
• A network security group (NSG) provides a virtual firewall for a set of cloud resources that all have the same security posture
• Azure NSG is used to filter network traffic to and from Azure resources in an Azure virtual network
• NSG contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources
• NSG in Azure is the way to activate a rule or access control list (ACL)
• Details: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Security rule properties

See: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules

Creating NSG in Azure portal

• Go to: https://portal.azure.com/#create/Microsoft.NetworkSecurityGroup-ARM
• Fillup details (i.e. name nsg-iaas-demo)
• Review > Create

Note: NSG can only be assigned to (or deassigned from) subnet and network interface

Adding Inbound rule for RDP

Add inbound rule i.e. allow for RDP (remote desktop protocal)

• Go to resource groups: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
• Select resource group i.e. rg-iaas-demo (where NSG belongs)
• Select NSG i.e. nsg-iaas-demo
• Settings > Inbound security rules > Add > Fillup details
• Source: Any
• Source port ranges: *
• Destination: Any
• Destination port ranges: 3389
• Protocal: TCP
• Acion: Allow
• Priority: 1000
• Name: allow_rdp_port_3389
• Description: To allow RDP for VM
• Note: RDP port 3389 is exposed to the Internet. This is only recommended for testing
• Bastion
  • Use Azure Bastion to securly connect to Azure VMs
  • PaaS for accessing VMs
  • Security is managed by Azure
  • No additional client is needed
  • When creating vNet, you can enable Bastion (need a pulic IP address, so create public IP address in beforehand)
• Add