Network Security Groups – Managing VMs in Azure IAAS with Azure PowerShell- Part 2


Controlling traffic between subnets within a VNET

In this exercise we will work on using Network Security Group feature, which is part of Azure Networking stack to control traffic between VMs or between subnets within a VNET. This feature allows us to secure backend and frontend server communication. 

Current Configuration in the lab environment:
1.  Storage Accounts:  satishlocalstorage
2. Cloud Service: satishVnet1cloudsvc
3. VNET:

             VNET “SatishVnet1” has 3 subnets   InfraSubnet1, APPSubnet1 and DBSubnet1
                        i. Subnet “InfraSubnet1” 192.168.10.0/ 24  contains VM  ClientVM1
                       ii. Subnet “APPSubnet1”  192.168.11.0/24 contains  VM WebVM1
                      iii. Subnet “DBSubnet1”  192.168.12.0/24 contains VM SQLVM1

Before I set few scenarios for this exercise, let us review the current VNET and VM Configuration to ensure VMs are in correct subnet.
1. Use following PS cmdlets to review current address space for VNET “SatishVnet1”
Get-AzureVNetConfig | select -ExpandProperty XMLconfiguration

<AddressSpace>
  <AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
  <Subnet name=”InfraSubnet1″>
    <AddressPrefix>192.168.10.4/24</AddressPrefix>
  </Subnet>
  <Subnet name=”APPSubnet1″>
    <AddressPrefix>192.168.11.4/24</AddressPrefix>
  </Subnet>
  <Subnet name=”DBSubnet1″>
    <AddressPrefix>192.168.12.4/24</AddressPrefix>
  </Subnet>
  <Subnet name=”GatewaySubnet”>
    <AddressPrefix>192.168.0.0/29</AddressPrefix>
  </Subnet>

Or
PS C:\azuretest> Get-AzureVNetConfig -ExportToFile c:\azuretest\satishvnetconfig.xml

2. Review the VM configuration status
PS C:\test\scripts> get-azurevm -ServiceName satishVnet1cloudsvc | select-object name, ipaddress, instancestatus | where  {$_.instancestatus -eq “ReadyRole”}

Name                                    IpAddress                               InstanceStatus
—-                                       ———                                       ————–
ClientVM1                               192.168.10.4                            ReadyRole
SQLVM1                                  192.168.12.4                            ReadyRole
webvm1                                  192.168.10.100                         ReadyRole

 

 The first thing I want to do is move VM “webvm1” in the correct subnet “APPSubnet1″ which is 192.168.11.0/24
(In my scenario since webvm1 is having static IP address, I had to perform additional steps)

3. Get a static IP address of the VM
PS C:\azuretest> $staticipvm=get-azurevm -servicename ‘satishVnet1cloudsvc’ -name ‘webvm1’
PS C:\azuretest> Get-AzureStaticVNetIP -vm $staticipvm

IPAddress
———
192.168.10.100

 
4. Remove Static IP from VM webvm1 and move it to subnet “APPSubnet1”

PS C:\azuretest> Get-AzureVM -ServiceName satishVnet1cloudsvc -Name webvm1 | Remove-       
                              AzureStaticVNetIP | Update-AzureVM

PS C:\azuretest> Get-AzureVM –ServiceName satishVnet1cloudsvc –Name webvm1 | Set-AzureSubnet –SubnetNames APPSubnet1 | Update-AzureVM

       Wait for a minute or so for the VM to restart

5. Review the VM Configuration Status to verify webvm1 is on 192.168.11.0/24 subnet

Name                                    IpAddress                               InstanceStatus
—-                                           ———                                ————–
ClientVM1                               192.168.10.4                            ReadyRole
SQLVM1                                  192.168.12.4                            ReadyRole
webvm1                                  192.168.11.4                            ReadyRole

Now let us test few scenarios to control traffic between subnets within a VNET

Scenario

a.  Create a rule to allow port 80  from subnet  “InfraSubnet1”  to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1”  to subnet “APPSubnet1”
      (VM “WEBVM1” in subnet “APP1Subnet1” currently listens on TCP port 25/53/80)

b. Block all traffic  to 192.168.11.0 except http inbound from 192.168.10.0/24 to 192.168.11.0/24

c. Create  another  rule to allow another port 25  from subnet  “InfraSubnet1”  to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”

d. Remove the rule that you created for Task  “a” and “c” above and allow VM’s in subnet “APPSubnet1” to listen on a port range from 25 to 80 from subnet “InfraSubnet1” instead of port 25 and 80 only and ensure task “b” does not get affected.

e. Review network security group rules

f. Remove Network Security Group (roll back to default setting)

a) Create a rule to allow port 80  from subnet  “InfraSubnet1”  to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1”  to subnet “APPSubnet1

 Create a Security Group called “AzureSNG1-80”
PS C:\scripts> New-AzureNetworkSecurityGroup -Name “AzureSNG1-80” -location “East US”

Name                                    Location                              
—-                                           ——–                               
AzureSNG1-80                      East US

Associate Security Group to “APPSubnet1”
PS C:\ > Get-AzureNetworkSecurityGroup -Name “AzureSNG1-80″  | set-AzureNetworkSecurityGrouptoSubnet -VirtualNetworkName ” SatishVnet1″ -subnetname “APPSubnet1”

Allow http traffic to  “APPSubnet1” from “InfraSubnet1”
PS C:\ > get-AzureNetworkSecurityGroup -name “AzureSNG1-80” | set-AzureNetworkSecurityRule -Name “Allow Http” -type Inbound -priority 100 -action Allow -sourceaddressprefix “192.168.10.0/24” -sourceportrange “*”  -destinationaddressprefix “192.168.11.0/24” -destinationportrange “80” -protocol TCP

Name  : AzureSNG1-80
Rules :
           Type: Inbound

        Name                 Priority  Action   Source Address  Source Port   Destination      Destination    Protocol
                                                Prefix          Range         Address Prefix   Port Range
        —-                 ——–  ——   ————— ————- —————- ————– ——–
        Allow Http           100       Allow    192.168.10.0/24 *             192.168.11.0/24  80             TCP
      

Block all other traffic from 192.168.10.0/24 to 192.168.11.0/24
PS C:\test\scripts> Get-AzureNetworkSecurityGroup -Name “AzureSNG1-80” | SET-AzureNetworkSecurityRule -name “Block all” -type Inbound -Priority 200 -action Deny -sourceaddressprefix “192.168.10.0/24” -sourceportrange “*” -destinationaddressprefix “192.168.11.0/24” -destinationportrange “*” -protocol *

Name  : AzureSNG1-80
Rules :

           Type: Inbound

        Name                 Priority  Action   Source Address  Source Port   Destination      Destination    Protocol
                                                Prefix          Range         Address Prefix   Port Range
        —-                 ——–  ——   ————— ————- —————- ————– ——–
        Allow Http           100       Allow    192.168.10.0/24 *             192.168.11.0/24  80             TCP
        Block all            200       Deny     192.168.10.0/24 *             192.168.11.0/24  *              *

 

Test/Verify the results
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 80

Querying target system called:
 192.168.11.4
Attempting to resolve IP address to a name…
Failed to resolve IP address to name
querying…
TCP port 80 (http service): LISTENING
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 25
Querying target system called:
 192.168.11.4
Attempting to resolve IP address to a name…
Failed to resolve IP address to name
querying…
TCP port 25 (smtp service): FILTERED

 b. Block all traffic  to 192.168.11.0 except http inbound  from 192.168.10.0/24 to 192.168.11.0/24

PS C:\> Get-AzureNetworkSecurityGroup -Name “AzureSNG1-80” | SET-AzureNetworkSecurityRule -name “Block all” -type Inbound -Priority 200 -action Deny -sourceaddressprefix “*” -sourceportrange “*” -destinationaddressprefix “192.168.11.0/24” -destinationportrange “*” -protocol *

c. Create  another  rule to allow another port 25  from subnet  “InfraSubnet1”  to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”

PS C:\> get-AzureNetworkSecurityGroup -name “AzureSNG1-80” | set-AzureNetworkSecurityRule -Name “Allow smtp” -type Inbound -priority 110 -action Allow -sourceaddressprefix “192.168.10.0/24” -sourceportrange “*”  -destinationaddressprefix “192.168.11.0/24” -destinationportrange “25” -protocol TCP

d. Remove the rule that you created for Task  “a” and “c” above and allow VM’s in subnet “APPSubnet1” to listen on a port range from 25 to 80 from subnet “InfraSubnet1” instead of port 25 and 80 only and ensure task “b” does not get affected.

PS C:\> Get-AzureNetworkSecurityGroup -name “AzureSNG1-80” | remove-azurenetworksecurityrule -name “Allow http”
PS C:\> Get-AzureNetworkSecurityGroup -name “AzureSNG1-80” | remove-azurenetworksecurityrule -name “Allow smtp”
PS C:\> get-AzureNetworkSecurityGroup -name “AzureSNG1-80” | set-AzureNetworkSecurityRule -Name “Allow Http” -type Inbound -priority 100 -action Allow -sourceaddressprefix “192.168.10.0/24” -sourceportrange “*”  -destinationaddressprefix “192.168.11.0/24” -destinationportrange “25-80” -protocol TCP

e . Review network security group rules

PS C:\> Get-AzureNetworkSecurityGroup -name “AzureSNG1-80” -detailed

Name  : AzureSNG1-80
Rules :

           Type: Inbound

        Name                 Priority  Action   Source Address  Source Port   Destination      Destination    Protocol
                                                Prefix          Range         Address Prefix   Port Range
        —-                 ——–  ——   ————— ————- —————- ————– ——–
        Allow Http           100       Allow    192.168.10.0/24 *             192.168.11.0/24  25-80          TCP
        Block all            200       Deny     *               *             192.168.11.0/24  *              *
        ALLOW VNET INBOUND   65000     Allow    VIRTUAL_NETWORK *             VIRTUAL_NETWORK  *              *

f. Remove the Network Security Group

PS C:\> Get-AzureNetworkSecurityGroup -Name “AzureSNG1-80″  | Remove-AzureNetworkSecurityGroupfromSubnet -VirtualNetworkName ” SatishVnet1″ -subnetname “APPSubnet1”
PS C:\> Remove-AzureNetworkSecurityGroup “AzureSNG1-80”

More details:

http://msdn.microsoft.com/en-us/library/azure/dn848316.aspx

http://azure.microsoft.com/blog/2014/11/04/network-security-groups/

 

DISCLAIMER: This posting is provided “AS IS” with no warranties and confers no rights 

Comments (0)