Azure Networking : Do not forget the impact of Network Security Groups!

Introduction

In my last post I mentioned that the NSGs (Network Security Groups) had a serious impact on your deployment. So today I’ll be doing a quick demo a possible annoyance you might encounter.

The demo environment

About the same setup as the last time… One VNET, three subnets ; firewall in subnet 10.0.0.0/24, one server in 10.0.1.0/24 and another server in 10.0.2.0/24.

2016-03-14 20_08_17-Settings - Microsoft Azure

When taking a firewall from the marketplace, these appliances are typically deployed with NSGs attached. By default you get no outgoing rules & a few incoming rules.

2016-03-14 20_19_46-Outbound security rules - Microsoft Azure

So we’ll be doing a test with the NSGs as deployed by default. And then afterwards change them to the ones underneath…

2016-03-14 20_21_35-Outbound security rules - Microsoft Azure

2016-03-14 20_24_47-Inbound security rules - Microsoft Azure

The Test

2016-03-14 20_26_08-kvaes@ubuntu01_ ~

  • The first ping is between the two servers. No issues there…
  • The second ping is to an external host and that one fails.
  • So we’ll add the rules as specified above… and give it some time (don’t be impatient like me!)
  • And then we see the ping succeeding!

TL;DR

Be aware of the impact of NSGs! You are using two sets of firewalls. So keep your focus or some actor will interfere with your network flow without you realising it immediately!

(sidenote; I do NOT advise using these NSG rules for production workloads!)

One thought on “Azure Networking : Do not forget the impact of Network Security Groups!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.