Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Working with NSG augmented security rules in Azure

At Microsoft Ignite this year Microsoft has announced several networking improvements and features in Azure. Most of them are currently in public preview and can be tested like the augmented security rules for NSGs in Azure.

-> https://azure.microsoft.com/en-us/updates/public-preview-features-for-nsgs/

What are augmented security rules? In short, they extend the rule set, so you can specify more than one IP address or IP address space or a combination of both for the “Source IP addresses/CIDR ranges” or “Destination IP addresses/CIDR ranges” options.

-> https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#augmented-security-rules

Let us have a look at one example. You would like to restrict internet access for the VMs in one specific subnet, but the VMs should be able to communicate with the Azure datacenter IP ranges.

-> https://www.microsoft.com/en-us/download/details.aspx?id=41653

In this example we have a look at the Azure region East US with 424 IP ranges as of today. Before augmented security rules you had to create 424 rules to leverage them all. This can be cumbersome in some situations, because the NSG rule limit has a max of 500. So, with the augmented security rule you can combine the 424 rules into one.

nsgaugmented01

Here is an example on how you can read in the Azure datacenter IP ranges xml file and create an Azure NSG with the specific region IP ranges with PowerShell.

[xml]$azureRegions=Get-Content .\PublicIPs_20171031.xml

$filter="useast"

$selectedRegion=($azureRegions.AzurePublicIpAddresses.Region|Where-Object {$_.Name -eq $filter}).IpRange.Subnet

$ruleName="Azure-region-"+$filter

$ruleDescription="Allow Azure region "+$filter

$rules = New-AzureRmNetworkSecurityRuleConfig -Name $ruleName -Description $ruleDescription `

-Access Allow -Protocol Tcp -Direction Outbound -Priority 1000 `

-SourceAddressPrefix Internet -SourcePortRange * `

-DestinationAddressPrefix $selectedRegion -DestinationPortRange * -Verbose

New-AzureRmNetworkSecurityGroup -Name $ruleName -ResourceGroupName "augmented-security-rules" -Location eastus -SecurityRules $rules -Verbose

Another example with PowerShell where you provide the IP address ranges directly.

#Create new rule with new NSG

$rules = New-AzureRmNetworkSecurityRuleConfig -Name augmented-rule -Description "Allow RDP" `

-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `

-SourceAddressPrefix Internet -SourcePortRange * `

-DestinationAddressPrefix "172.16.0.0/24","10.0.0.0/24" -DestinationPortRange 3389 -Verbose

New-AzureRmNetworkSecurityGroup -Name RDP -ResourceGroupName "augmented-security-rules" -Location eastus -SecurityRules $rules -Verbose

The important part is the specification of the address ranges. If you are providing them directly, make sure that the format is “range1″,”range2”. On the other hand, if you are using variables, make sure the variable is an array.

Finally use the latest Azure PowerShell version and have fun trying out NSG augmented security rules.


Posted

in

WordPress Cookie Notice by Real Cookie Banner