NSG Azure Hacks: Enhance Network Security with Ease!

Network Security Groups (NSGs) play a crucial role in safeguarding your Azure infrastructure, providing granular control over inbound and outbound traffic. In this article, we explore the ins and outs of NSGs, diving into their architecture, rule sets, and best practices for effective network security. Discover how NSGs can fortify your Azure environment against potential threats and ensure a robust defense strategy.

What is NSG Azure?

Azure Network Security Groups (NSGs) are a network security feature provided by Azure that allow you to control inbound and outbound traffic to Azure resources, such as virtual machines (VMs), subnets, and network interfaces. NSGs act as a basic firewall, allowing you to define network security rules to filter and control traffic at the network level.

By using NSGs, you can enforce network-level security policies and control the flow of traffic to and from your Azure resources, helping to protect them from unauthorized access and potential security threats.

Using Service Tags

Azure Service Tags are a feature that simplifies the configuration of network security rules in Azure Network Security Groups (NSGs). Instead of specifying individual IP addresses or ranges, you can use Service Tags to define rules based on predefined groups of Azure resources.

Using Service Tags helps to streamline and manage the network security configuration in Azure. It reduces the complexity of managing individual IP address ranges and ensures that your NSG rules stay up to date as your Azure resources evolve.

Default Rule Sets

Default rule sets in Azure Network Security Groups (NSGs) define the initial set of inbound and outbound rules that are automatically applied to resources when an NSG is associated with them. These default rule sets help to provide basic network security by controlling inbound and outbound traffic to and from the resources.

Inbound Rules

The default inbound rule set defines the rules for incoming network traffic to the resources. By default, all inbound traffic is denied unless explicitly allowed by the defined rules. The default inbound rules typically include rules that allow necessary traffic, such as remote management access (e.g., Remote Desktop Protocol, SSH), and may include rules for specific Azure services that require inbound connectivity. You can modify the default inbound rule set to meet your specific requirements.

Outbound Rules

The default outbound rule set defines the rules for outgoing network traffic from the resources. By default, all outbound traffic is allowed. The default outbound rules are usually permissive to allow resources to communicate with external services and the internet. However, you can customize the default outbound rule set to restrict or filter outbound traffic based on your organization’s security policies.

Constructing Azure NSGs via PowerShell

To build Azure Network Security Groups (NSGs) using PowerShell, you can follow these steps:

• Connect to your Azure subscription: Use the Connect-AzAccount cmdlet to authenticate and connect to your Azure subscription.
• Create a new NSG: Use the New-AzNetworkSecurityGroup cmdlet to create a new NSG. Specify the name, resource group, and location for the NSG.
• Define inbound and outbound security rules: Use the New-AzNetworkSecurityRuleConfig cmdlet to create individual inbound and outbound security rules. Specify the name, direction (Inbound or Outbound), source and destination IP addresses, protocols (TCP, UDP, etc.), and ports.
• Add the security rules to the NSG: Use the Add-AzNetworkSecurityRuleConfig cmdlet to add the created security rules to the NSG.
• Associate the NSG with a subnet or network interface: Use the Set-AzNetworkSecurityGroup cmdlet to associate the NSG with a specific subnet or network interface. Specify the NSG object and the resource ID of the subnet or network interface.
• Create or update the NSG in Azure: Use the New-AzNetworkSecurityGroup or Set-AzNetworkSecurityGroup cmdlet to create or update the NSG in Azure.

Here’s an example PowerShell script that demonstrates the steps above:

# Connect to Azure subscription
Connect-AzAccount

# Create a new NSG
$nsgName = "MyNSG"
$resourceGroup = "MyResourceGroup"
$location = "WestUS"
$nsg = New-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup -Location $location

# Define inbound security rule
$inboundRule = New-AzNetworkSecurityRuleConfig -Name "Allow-SSH-Inbound" -Priority 100 -Protocol Tcp `
    -SourceAddressPrefix "Internet" -DestinationAddressPrefix "*" -DestinationPortRange 22 -Access Allow

# Define outbound security rule
$outboundRule = New-AzNetworkSecurityRuleConfig -Name "Allow-HTTP-Outbound" -Priority 200 -Protocol Tcp `
    -SourceAddressPrefix "*" -DestinationAddressPrefix "Internet" -DestinationPortRange 80 -Access Allow

# Add security rules to NSG
$nsg | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRule $inboundRule,$outboundRule

# Associate NSG with a subnet or network interface
$subnetId = "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>"
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg -ResourceId $subnetId

# Create or update the NSG in Azure
New-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

Make sure to replace the placeholder values with your own Azure subscription, resource group, and network details. Running this script will create a new NSG, define inbound and outbound security rules, associate the NSG with a subnet, and deploy the NSG in Azure.

Making Azure NSG Rules 

Setting Inbound Rule

Here’s an example PowerShell script that demonstrates setting an inbound rule for an Azure NSG:

# Connect to Azure subscription
Connect-AzAccount

# Retrieve the NSG object
$nsgName = "MyNSG"
$resourceGroup = "MyResourceGroup"
$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup

# Define the inbound security rule
$inboundRule = New-AzNetworkSecurityRuleConfig -Name "Allow-SSH-Inbound" -Priority 100 -Protocol Tcp `
    -SourceAddressPrefix "Internet" -DestinationAddressPrefix "*" -DestinationPortRange 22 -Access Allow

# Add the security rule to the NSG
$nsg | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRule $inboundRule

# Update the NSG in Azure
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

To set an inbound rule for an Azure Network Security Group (NSG) using PowerShell, you can use the following steps:

• Connect to your Azure subscription: Use the Connect-AzAccount cmdlet to authenticate and connect to your Azure subscription.
• Get the NSG object: Use the Get-AzNetworkSecurityGroup cmdlet to retrieve the NSG object by providing the name and resource group of the NSG.
• Define the inbound security rule: Use the New-AzNetworkSecurityRuleConfig cmdlet to create an inbound security rule configuration. Specify the name, priority, protocol, source address prefix, destination address prefix, destination port range, and access (Allow or Deny) for the rule.
• Add the security rule to the NSG: Use the Add-AzNetworkSecurityRuleConfig cmdlet to add the inbound security rule configuration to the NSG object.
• Update the NSG in Azure: Use the Set-AzNetworkSecurityGroup cmdlet to update the NSG in Azure by providing the NSG object.

Rejecting the SANS Recommended Traffic

To deny outbound traffic as per the SANS recommended traffic rules in Azure Network Security Group (NSG) using PowerShell, you can follow these steps:

• Connect to your Azure subscription: Use the Connect-AzAccount cmdlet to authenticate and connect to your Azure subscription.
• Get the NSG object: Use the Get-AzNetworkSecurityGroup cmdlet to retrieve the NSG object by providing the name and resource group of the NSG.
• Define the outbound security rules: Create multiple outbound security rule configurations for each SANS recommended traffic rule you want to deny. Each rule will have a unique name, priority, protocol, source address prefix, destination address prefix, and access set to “Deny”.
• Add the security rules to the NSG: Use the Add-AzNetworkSecurityRuleConfig cmdlet to add the outbound security rule configurations to the NSG object.
• Update the NSG in Azure: Use the Set-AzNetworkSecurityGroup cmdlet to update the NSG in Azure by providing the NSG object.

Here’s an example PowerShell script that demonstrates denying outbound SANS recommended traffic in an Azure NSG:

# Connect to Azure subscription
Connect-AzAccount

# Retrieve the NSG object
$nsgName = "MyNSG"
$resourceGroup = "MyResourceGroup"
$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup

# Define outbound security rule configurations for SANS recommended traffic
$outboundRules = @(
    # Rule 1: Deny outbound HTTP traffic
    New-AzNetworkSecurityRuleConfig -Name "Deny-HTTP-Outbound" -Priority 100 -Protocol Tcp `
        -SourceAddressPrefix "*" -DestinationAddressPrefix "Internet" -DestinationPortRange 80 -Access Deny,

    # Rule 2: Deny outbound HTTPS traffic
    New-AzNetworkSecurityRuleConfig -Name "Deny-HTTPS-Outbound" -Priority 200 -Protocol Tcp `
        -SourceAddressPrefix "*" -DestinationAddressPrefix "Internet" -DestinationPortRange 443 -Access Deny
)

# Add the security rules to the NSG
$nsg | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRule $outboundRules

# Update the NSG in Azure
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

Make sure to replace the placeholder values with your own Azure subscription, NSG name, resource group, and customize the outbound rule configurations based on the SANS recommended traffic rules you want to deny. Running this script will add the specified outbound security rules to the NSG and update it in Azure, effectively denying the specified traffic.

Adjusting an Azure NSG to Specific Subnets

Here’s an example PowerShell script that demonstrates configuring an Azure NSG for a specific subnet:

# Connect to Azure subscription
Connect-AzAccount

# Retrieve the NSG object
$nsgName = "MyNSG"
$resourceGroup = "MyResourceGroup"
$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup

# Retrieve the subnet object
$vnetName = "MyVNet"
$subnetName = "MySubnet"
$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup
$subnet = $vnet.Subnets | Where-Object { $_.Name -eq $subnetName }

# Associate the NSG with the subnet
$subnet.NetworkSecurityGroupId = $nsg.Id

# Update the subnet in Azure
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet

To deny outbound traffic as per the SANS recommended traffic rules in Azure Network Security Group (NSG) using PowerShell, you can follow these steps:

• Connect to your Azure subscription: Use the Connect-AzAccount cmdlet to authenticate and connect to your Azure subscription.
• Get the NSG object: Use the Get-AzNetworkSecurityGroup cmdlet to retrieve the NSG object by providing the name and resource group of the NSG.
• Define the outbound security rules: Create multiple outbound security rule configurations for each SANS recommended traffic rule you want to deny. Each rule will have a unique name, priority, protocol, source address prefix, destination address prefix, and access set to “Deny”.
• Add the security rules to the NSG: Use the Add-AzNetworkSecurityRuleConfig cmdlet to add the outbound security rule configurations to the NSG object.
• Update the NSG in Azure: Use the Set-AzNetworkSecurityGroup cmdlet to update the NSG in Azure by providing the NSG object.

Adjusting Azure NSGs for a Network Interface

Here’s an example PowerShell script that demonstrates applying an Azure NSG to a network interface:

# Connect to Azure subscription
Connect-AzAccount

# Retrieve the NSG object
$nsgName = "MyNSG"
$resourceGroup = "MyResourceGroup"
$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup

# Retrieve the network interface object
$nicName = "MyNIC"
$nic = Get-AzNetworkInterface -Name $nicName -ResourceGroupName $resourceGroup

# Associate the NSG with the network interface
$nic.NetworkSecurityGroup = $nsg

# Update the network interface in Azure
Set-AzNetworkInterface -NetworkInterface $nic

This PowerShell script is used to associate an Azure Network Security Group (NSG) with a specific network interface. Here’s a breakdown of what each step does:

• Connect to Azure subscription: The Connect-AzAccount cmdlet is used to authenticate and connect to your Azure subscription. This step ensures that you have the necessary permissions to manage resources.
• Retrieve the NSG object: The script retrieves the NSG object by providing the NSG name and the resource group it belongs to. This is done using the Get-AzNetworkSecurityGroup cmdlet, which fetches the NSG from Azure.
• Retrieve the network interface object: Similarly, the script retrieves the network interface object by providing the network interface name and the resource group it belongs to. This is done using the Get-AzNetworkInterface cmdlet.
• Associate the NSG with the network interface: The NSG object retrieved in step 2 is assigned to the NetworkSecurityGroup property of the network interface object. This associates the NSG with the network interface.
• Update the network interface in Azure: Finally, the Set-AzNetworkInterface cmdlet is used to update the network interface in Azure with the changes made in step 4. This ensures that the association between the NSG and the network interface is applied in Azure.

By running this script and replacing the placeholder values with your actual NSG name, resource group, and network interface name, you can associate the specified NSG with the network interface in Azure. This allows you to apply the NSG rules to control the inbound and outbound traffic for that network interface.

Armed with the knowledge of Network Security Groups (NSGs), you now have the power to fortify your Azure network security. By implementing best practices, fine-tuning rule sets, and leveraging NSG capabilities, you can create a secure environment that aligns with your organization’s requirements. Embrace the power of NSGs to protect your Azure resources and gain peace of mind knowing your network is resilient against potential threats.