Network Security Groups - Managing VMs in Azure IAAS with Azure PowerShell- Part 2
Controlling traffic between subnets within a VNET
In this exercise we will work on using Network Security Group feature, which is part of Azure Networking stack to control traffic between VMs or between subnets within a VNET. This feature allows us to secure backend and frontend server communication.
Current Configuration in the lab environment:
1. Storage Accounts: satishlocalstorage
2. Cloud Service: satishVnet1cloudsvc
3. VNET:
VNET “SatishVnet1” has 3 subnets InfraSubnet1, APPSubnet1 and DBSubnet1
i. Subnet “InfraSubnet1” 192.168.10.0/ 24 contains VM ClientVM1
ii. Subnet “APPSubnet1” 192.168.11.0/24 contains VM WebVM1
iii. Subnet “DBSubnet1” 192.168.12.0/24 contains VM SQLVM1
Before I set few scenarios for this exercise, let us review the current VNET and VM Configuration to ensure VMs are in correct subnet.
1. Use following PS cmdlets to review current address space for VNET “SatishVnet1”
Get-AzureVNetConfig | select -ExpandProperty XMLconfiguration
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="InfraSubnet1">
<AddressPrefix>192.168.10.4/24</AddressPrefix>
</Subnet>
<Subnet name="APPSubnet1">
<AddressPrefix>192.168.11.4/24</AddressPrefix>
</Subnet>
<Subnet name="DBSubnet1">
<AddressPrefix>192.168.12.4/24</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>192.168.0.0/29</AddressPrefix>
</Subnet>
Or
PS C:\azuretest> Get-AzureVNetConfig -ExportToFile c:\azuretest\satishvnetconfig.xml
2. Review the VM configuration status
PS C:\test\scripts> get-azurevm -ServiceName satishVnet1cloudsvc | select-object name, ipaddress, instancestatus | where {$_.instancestatus -eq "ReadyRole"}
Name IpAddress InstanceStatus
---- --------- --------------
ClientVM1 192.168.10.4 ReadyRole
SQLVM1 192.168.12.4 ReadyRole
webvm1 192.168.10.100 ReadyRole
The first thing I want to do is move VM “webvm1” in the correct subnet “APPSubnet1" which is 192.168.11.0/24
(In my scenario since webvm1 is having static IP address, I had to perform additional steps)
3. Get a static IP address of the VM
PS C:\azuretest> $staticipvm=get-azurevm -servicename 'satishVnet1cloudsvc' -name 'webvm1'
PS C:\azuretest> Get-AzureStaticVNetIP -vm $staticipvm
IPAddress
---------
192.168.10.100
4. Remove Static IP from VM webvm1 and move it to subnet “APPSubnet1”
PS C:\azuretest> Get-AzureVM -ServiceName satishVnet1cloudsvc -Name webvm1 | Remove-
AzureStaticVNetIP | Update-AzureVM
PS C:\azuretest> Get-AzureVM –ServiceName satishVnet1cloudsvc –Name webvm1 | Set-AzureSubnet –SubnetNames APPSubnet1 | Update-AzureVM
Wait for a minute or so for the VM to restart
5. Review the VM Configuration Status to verify webvm1 is on 192.168.11.0/24 subnet
Name IpAddress InstanceStatus
---- --------- --------------
ClientVM1 192.168.10.4 ReadyRole
SQLVM1 192.168.12.4 ReadyRole
webvm1 192.168.11.4 ReadyRole
Now let us test few scenarios to control traffic between subnets within a VNET
Scenario
a. Create a rule to allow port 80 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1” to subnet “APPSubnet1”
(VM “WEBVM1” in subnet “APP1Subnet1” currently listens on TCP port 25/53/80)
b. Block all traffic to 192.168.11.0 except http inbound from 192.168.10.0/24 to 192.168.11.0/24
c. Create another rule to allow another port 25 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”
d. Remove the rule that you created for Task “a” and “c” above and allow VM’s in subnet “APPSubnet1” to listen on a port range from 25 to 80 from subnet “InfraSubnet1” instead of port 25 and 80 only and ensure task “b” does not get affected.
e. Review network security group rules
f. Remove Network Security Group (roll back to default setting)
a) Create a rule to allow port 80 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1” to subnet “APPSubnet1”
Create a Security Group called "AzureSNG1-80"
PS C:\scripts> New-AzureNetworkSecurityGroup -Name "AzureSNG1-80" -location "East US"
Name Location
---- --------
AzureSNG1-80 East US
Associate Security Group to "APPSubnet1"
PS C:\ > Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | set-AzureNetworkSecurityGrouptoSubnet -VirtualNetworkName " SatishVnet1" -subnetname "APPSubnet1"
Allow http traffic to "APPSubnet1" from “InfraSubnet1”
PS C:\ > get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow Http" -type Inbound -priority 100 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "80" -protocol TCP
Name : AzureSNG1-80
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
Allow Http 100 Allow 192.168.10.0/24 * 192.168.11.0/24 80 TCP
Block all other traffic from 192.168.10.0/24 to 192.168.11.0/24
PS C:\test\scripts> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | SET-AzureNetworkSecurityRule -name "Block all" -type Inbound -Priority 200 -action Deny -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "*" -protocol *
Name : AzureSNG1-80
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
Allow Http 100 Allow 192.168.10.0/24 * 192.168.11.0/24 80 TCP
Block all 200 Deny 192.168.10.0/24 * 192.168.11.0/24 * *
Test/Verify the results
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 80
Querying target system called:
192.168.11.4
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 80 (http service): LISTENING
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 25
Querying target system called:
192.168.11.4
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 25 (smtp service): FILTERED
b. Block all traffic to 192.168.11.0 except http inbound from 192.168.10.0/24 to 192.168.11.0/24
PS C:\> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | SET-AzureNetworkSecurityRule -name "Block all" -type Inbound -Priority 200 -action Deny -sourceaddressprefix "*" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "*" -protocol *
c. Create another rule to allow another port 25 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”
PS C:\> get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow smtp" -type Inbound -priority 110 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "25" -protocol TCP
d. Remove the rule that you created for Task “a” and “c” above and allow VM’s in subnet “APPSubnet1” to listen on a port range from 25 to 80 from subnet “InfraSubnet1” instead of port 25 and 80 only and ensure task “b” does not get affected .
PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | remove-azurenetworksecurityrule -name "Allow http"
PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | remove-azurenetworksecurityrule -name "Allow smtp"
PS C:\> get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow Http" -type Inbound -priority 100 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "25-80" -protocol TCP
e . Review network security group rules
PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" -detailed
Name : AzureSNG1-80
Rules :
Type: Inbound
Name Priority Action Source Address Source Port Destination Destination Protocol
Prefix Range Address Prefix Port Range
---- -------- ------ --------------- ------------- ---------------- -------------- --------
Allow Http 100 Allow 192.168.10.0/24 * 192.168.11.0/24 25-80 TCP
Block all 200 Deny * * 192.168.11.0/24 * *
ALLOW VNET INBOUND 65000 Allow VIRTUAL_NETWORK * VIRTUAL_NETWORK * *
f. Remove the Network Security Group
PS C:\> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | Remove-AzureNetworkSecurityGroupfromSubnet -VirtualNetworkName " SatishVnet1" -subnetname "APPSubnet1"
PS C:\> Remove-AzureNetworkSecurityGroup "AzureSNG1-80"
More details:
https://msdn.microsoft.com/en-us/library/azure/dn848316.aspx
https://azure.microsoft.com/blog/2014/11/04/network-security-groups/
DISCLAIMER: This posting is provided "AS IS" with no warranties and confers no rights