Tutorial: Filter network traffic with a network security group

You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network.

Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.

Diagram of resources created during tutorial.

In this tutorial, you learn how to:

  • Create a network security group and security rules
  • Create application security groups
  • Create a virtual network and associate a network security group to a subnet
  • Deploy virtual machines and associate their network interfaces to the application security groups

Prerequisites

The following procedure creates a virtual network with a resource subnet.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot that shows the Basics tab of Create virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. Select Next to proceed to the IP addresses tab.

  6. In the address space box under Subnets, select the default subnet.

  7. On the Edit subnet pane, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default as Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24(256 addresses).

    Screenshot that shows the default subnet rename and configuration.

  8. Select Save.

  9. Select Review + create at the bottom of the screen. After validation passes, select Create.

Create application security groups

An application security group (ASGs) enables you to group together servers with similar functions, such as web servers.

  1. In the search box at the top of the portal, enter Application security group. Select Application security groups in the search results.

  2. Select + Create.

  3. On the Basics tab of Create an application security group, enter, or select this information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter asg-web.
    Region Select East US 2.
  4. Select Review + create.

  5. Select + Create.

  6. Repeat the previous steps, specifying the following values:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter asg-mgmt.
    Region Select East US 2.
  7. Select Review + create.

  8. Select Create.

Create a network security group

A network security group (NSG) secures network traffic in your virtual network.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

    Note

    In the search results for Network security groups, you may see Network security groups (classic). Select Network security groups.

  2. Select + Create.

  3. On the Basics tab of Create network security group, enter, or select this information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter nsg-1.
    Location Select East US 2.
  4. Select Review + create.

  5. Select Create.

Associate network security group to subnet

In this section, you associate the network security group with the subnet of the virtual network you created earlier.

  1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

  2. Select nsg-1.

  3. Select Subnets from the Settings section of nsg-1.

  4. In the Subnets page, select + Associate:

    Screenshot of Associate a network security group to a subnet.

  5. Under Associate subnet, select vnet-1 (test-rg) for Virtual network.

  6. Select subnet-1 for Subnet, and then select OK.

Create security rules

  1. Select Inbound security rules from the Settings section of nsg-1.

  2. In Inbound security rules page, select + Add.

  3. Create a security rule that allows ports 80 and 443 to the asg-web application security group. In Add inbound security rule page, enter or select the following information:

    Setting Value
    Source Leave the default of Any.
    Source port ranges Leave the default of (*).
    Destination Select Application security group.
    Destination application security groups Select asg-web.
    Service Leave the default of Custom.
    Destination port ranges Enter 80,443.
    Protocol Select TCP.
    Action Leave the default of Allow.
    Priority Leave the default of 100.
    Name Enter allow-web-all.
  4. Select Add.

  5. Complete the previous steps with the following information:

    Setting Value
    Source Leave the default of Any.
    Source port ranges Leave the default of (*).
    Destination Select Application security group.
    Destination application security group Select asg-mgmt.
    Service Select RDP.
    Action Leave the default of Allow.
    Priority Leave the default of 110.
    Name Enter allow-rdp-all.
  6. Select Add.

Caution

In this article, RDP (port 3389) is exposed to the internet for the VM that is assigned to the asg-mgmt application security group.

For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN, private network connection, or Azure Bastion.

For more information on Azure Bastion, see What is Azure Bastion?.

Create virtual machines

Create two virtual machines (VMs) in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. In Create a virtual machine, enter or select this information in the Basics tab:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-web.
    Region Select (US) East US 2.
    Availability options Leave the default of No infrastructure redundancy required.
    Security type Select Standard.
    Image Select Windows Server 2022 Datacenter - x64 Gen2.
    Azure Spot instance Leave the default of unchecked.
    Size Select a size.
    Administrator account
    Username Enter a username.
    Password Enter a password.
    Confirm password Reenter password.
    Inbound port rules
    Select inbound ports Select None.
  4. Select Next: Disks then Next: Networking.

  5. In the Networking tab, enter or select the following information:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Leave the default of a new public IP.
    NIC network security group Select None.
  6. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  7. Select Create. The VM might take a few minutes to deploy.

  8. Repeat the previous steps to create a second virtual machine named vm-mgmt.

Associate network interfaces to an ASG

When you created the VMs, Azure created a network interface for each VM, and attached it to the VM.

Add the network interface of each VM to one of the application security groups you created previously:

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results, then select vm-web.

  2. Select Application security groups from the Networking section of vm-web.

  3. Select Add application security groups, then in the Add application security groups tab, select asg-web. Finally, select Add.

    Screenshot of Configure application security groups.

  4. Repeat the previous steps for vm-mgmt, selecting asg-mgmt in the Add application security groups tab.

Test traffic filters

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-mgmt.

  3. On the Overview page, select the Connect button and then select Native RDP.

  4. Select Download RDP file.

  5. Open the downloaded rdp file and select Connect. Enter the username and password you specified when creating the VM.

  6. Select OK.

  7. You might receive a certificate warning during the connection process. If you receive the warning, select Yes or Continue, to continue with the connection.

    The connection succeeds, because inbound traffic from the internet to the asg-mgmt application security group is allowed through port 3389.

    The network interface for vm-mgmt is associated with the asg-mgmt application security group and allows the connection.

  8. Open a PowerShell session on vm-mgmt. Connect to vm-web using the following:

    mstsc /v:vm-web
    

    The RDP connection from vm-mgmt to vm-web succeeds because virtual machines in the same network can communicate with each other over any port by default.

    You can't create an RDP connection to the vm-web virtual machine from the internet. The security rule for the asg-web prevents connections to port 3389 inbound from the internet. Inbound traffic from the Internet is denied to all resources by default.

  9. To install Microsoft IIS on the vm-web virtual machine, enter the following command from a PowerShell session on the vm-web virtual machine:

    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    
  10. After the IIS installation is complete, disconnect from the vm-web virtual machine, which leaves you in the vm-mgmt virtual machine remote desktop connection.

  11. Disconnect from the vm-mgmt VM.

  12. Search for vm-web in the portal search box.

  13. On the Overview page of vm-web, note the Public IP address for your VM. The address shown in the following example is 203.0.113.103. Your address is different:

    Screenshot of Public IP address of a virtual machine in the Overview page.

  14. To confirm that you can access the vm-web web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>.

You see the IIS default page, because inbound traffic from the internet to the asg-web application security group is allowed through port 80.

The network interface attached for vm-web is associated with the asg-web application security group and allows the connection.

When you finish using the resources that you created, you can delete the resource group and all its resources.

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

Next steps

In this tutorial, you:

  • Created a network security group and associated it to a virtual network subnet.
  • Created application security groups for web and management.
  • Created two virtual machines and associated their network interfaces with the application security groups.
  • Tested the application security group network filtering.

To learn more about network security groups, see Network security group overview and Manage a network security group.

Azure routes traffic between subnets by default. You might instead, choose to route traffic between subnets through a VM, serving as a firewall, for example.

To learn how to create a route table, advance to the next tutorial.