Demo: Azure Network Security Groups (NSGs)

This demo maps to the following Learn content:

  • Learning Path: Describe the capabilities of Microsoft security solutions
  • Module: Describe the basic security capabilities in Azure
  • Unit: Describe Azure Network Security groups

Demo scenario

In this demo, you’ll explore the function of network security groups in Azure and apply an NSG to a pre-created virtual machine. You’ll start by briefly showing information about the VM that was pre-created by the authorized lab hoster (ALH). You’ll then show the process of creating the NSG, show the default inbound and outbound rules, create a new RDP rule to allow connection to the VM, and test it.

Demo part 1

In this part, you’ll view some of the parameters associated with the VM that that was created for use with this lab.

  1. Open Microsoft Edge. In the address bar, enter portal.azure.com.

  2. Sign in with your admin credentials.
    1. In the Sign-in window, enter the username provided by your lab hosting provider then select Next.
    2. Enter the admin password that should be provided by your lab hosting provider. Select Sign in.
    3. If prompted to stay signed- in, select Yes.

  3. On the top of the page, underneath where it says Azure Services, select Virtual Machines. If you don’t see it listed, then in the search box, in the blue bar on the top of the page next to where it says Microsoft Azure, enter Virtual Machines then select Virtual Machines from the search results.

  4. From the Virtual machines page, select the VM listed SC900-WinVM.

  5. You’re now in the SC900-WinVM page. Note the name of the Resource group, LabsSC900, in which the VM resides.

  6. From the top of the page, select Connect then from the drop-down select RDP. Note that the port prerequisite is not met. In order to satisfy the prerequisite, an inbound network security rule with the destination port 3389, used by RDP, must be configured. You’ll do that in the next task, when you create a network security group.

  7. From the left navigation panel, select Networking.
    1. The default view is for inbound port rules. Note that the network interface for this VM has no network security groups configured. The same is true if you select Outbound port rules.
    2. Select Effective security rules next to where it says Network interface. Note that it says, “No network security groups or applications security groups are associated with the network interface”.
  8. Leave this browser tab open.

Demo part 2

In this part, you’ll create a network security group, assign the network interface of the VM to that NSG, and create a new inbound rule for RDP traffic.

  1. Open the SC900-WinVM – Microsoft Azure Tab on your browser.

  2. In the blue search bar on the top of the page, enter Network security groups groups. From the results, select Network security groups (do not select Network security groups classic).

  3. From the top of Network security groups page, select + Create.

  4. On the Basics tab of the Create network security group page, specify the following settings:
    1. Subscription: Leave the default value (this is the Azure subscription provided by the authorized lab hoster)
    2. Resource group: LabsSC900
    3. Name: NSG-SC900
    4. Region: leave the default.
    5. Select Review + create then select Create.

  5. Once the deployment is complete, select Go to resource.

  6. On the top of the page underneath where it says Essentials, you’ll see some basic information about the NSG you created. Two points to note are that there are no CUSTOM Security rules and there are no subnets nor network interfaces associated with this NSG. Although there are no custom security rules, there are default inbound and outbound rules that are included with every NSG, as shown on the page. Review both the inbound and outbound rules. The default inbound rules deny all inbound traffic that is not from a virtual network or an Azure load balancer. The outbound rules deny all outbound traffic except traffic between virtual networks and outbound traffic to the internet.

  7. From the left navigation pane of the NSG-SC900 page, under Settings, select Network interfaces.
    1. Select Associate.
    2. In the field for selecting network interface associations, select the drown-down arrow, select sc900-winvmXXX, then select ok on the bottom of the window. Once the interface is associated to the NSG, it will show up on the list.

  8. From the left navigation pane, select Inbound security rules. The default inbound rules deny all inbound traffic that is not from a virtual network or an Azure load balancer so you need to set up a rule to allow inbound RDP traffic (traffic on port 3389). Recall that you cannot remove the default rules, but you can override them by creating rules with higher priorities.

  9. From the top of the page, select Add. On the Add inbound security rule window, specify the following settings:
    1. Source: Any
    2. Source port ranges: *
    3. Destination: Any
    4. Service: RDP
    5. Action: Allow
    6. Priority: 1000; Note: rules with lower numbers have higher priority and are processed first.
    7. Name: Leave the default name or create your own descriptive name.
    8. Note the warning sign at the bottom of the page. We’re using RDP to only for testing purposes and to demonstrate the functionality of the NSG.
    9. Select Add
  10. Once the rule is provisioned, it will appear on the list of inbound rules (you may need to refresh the screen). On the newly added rule, you’ll see a warning sign. As stated above, we’re using RDP only for testing purposes and to demonstrate the functionality of the NSG.

Demo part 3

With the NSG created and associated to your VM and the RDP rule created, you’ll show the impact of the NSG by testing RDP connectivity to the VM.

  1. Open the SC900-WinVM – Microsoft Azure Tab on your browser. If you previously closed the browser tab, select the blue search bar on the top of the page and select Virtual machines, then select the VM, SC900-WinVM.

  2. Test the inbound rule by verifying that you can connect to the VM using RDP.
    1. Select Connect from the left navigation panel.
    2. Verify the IP address is set to Public IP address, leave the default port number and select Download DRP file.
    3. Open the downloaded file and select Connect.
    4. You’ll be prompted for your credentials. Enter the Username and Password you used when you created the VM. If the window prompting for your credentials requests a PIN, select More choices, then select Use a different account.
    5. A Remote Desktop connection window opens indicating, The identity of the remote computer cannot be verified. Do you wish to connect anyway? Select Yes.
    6. You’re now connected to the VM. highlight to the learner that in this case you were able to connect to the VM because the inbound traffic rule you created allows inbound traffic to the VM via RDP.
  3. Since you’re already in the VM, you can show outbound internet connectivity to the Internet, which is enabled by one of the default outbound rules.
    1. From the VM, select Microsoft Edge to open the browser. Since this is the first time you open Microsoft Edge, you may get a pop-up window, select Start without your data, then select Continue without this data, then select Confirm and start browsing.
    2. Enter www.bing.com in the browser address bar and confirm you’re able to connect to the search engine.
    3. Once you’ve confirmed that you can access www.bing.com, close the browser window in the VM, but leave the VM up.
  4. Minimize the VM, by selecting the underscore _ in the blue tab that shows the VM’s IP address. This brings you back to the SC900-WinVM Connect page.

OPTIONAL Demo part 4

If classroom time permits, you may want to create an outbound NSG rule to block outbound internet traffic from the VM.

  1. From the left navigation panel, select Networking. You should be on the SC900-WinVM Networking page.

  2. Select the Outbound port rules tab. You’ll see the default outbound rules. Note the default rule “AllowInternetOutBound”. This rule allows all outbound internet traffic. You cannot remove the default rule, but you can override it by creating a rule with higher priority. From the right side of the page, select Add outbound port rule.

  3. On the Add outbound security rule page, specify the following settings:
    1. Source: Any
    2. Source port ranges: *
    3. Destination: Service Tag
    4. Destination service tag: Internet
    5. Service: Custom (leave the default)
    6. Destination port ranges: * (be sure to put an asterisk in the destination port ranges field)
    7. Protocol: Any
    8. Action: Deny
    9. Priority: 1000
    10. Name: Leave the default name or create your own descriptive name.
    11. Select Add

  4. Once the rule is provisioned, it will appear on the list of outbound rules. Although it appears on the list, it will take a few minutes to take effect (wait a few minutes before continuing with the next steps).

  5. Return to your VM (the icon for the VM should be shown on the task bar on the bottom of the page).

  6. Open the Microsoft Edge browser in your VM and enter www.bing.com. The page should not display. Note: if you’re able to connect to the internet and you verified that all the parameters for the outbound rule were properly set, it’s likely because it takes a few minutes for the rule to take effect. Close the browser, wait a few minutes and try again. Note: Azure subscriptions in the lab environment may experience longer than normal delays.

  7. Close the remote desktop connection, by selecting the X on the top center of the page where the IP address is shown. A pop-up window appears indicating Your remote session will be disconnected. Select OK.

  8. Close all the open browser tabs.

  9. As a general best practice it’s beneficial to stop or tear-down the VM to avoid incurring cost, if it’s being used only for demo or test purposes. In this case, however, do NOT tear-down the VM, as it will help feed cloud security posture management data when demoing Microsoft Defender for Cloud. The VM will be torn down when the lab is canceled.

Review

In this demo, you showed the information and settings associated an NSG, including the process to associate an interface to the NSG, you showed the default inbound and outbound rules, and finally the steps to create a new rule.