Network Security Groups - Managing VMs in Azure IAAS with Azure PowerShell- Part 2

Article
01/18/2015

Controlling traffic between subnets within a VNET

In this exercise we will work on using Network Security Group feature, which is part of Azure Networking stack to control traffic between VMs or between subnets within a VNET. This feature allows us to secure backend and frontend server communication.

Current Configuration in the lab environment:
1. Storage Accounts: satishlocalstorage
2. Cloud Service: satishVnet1cloudsvc
3. VNET:

             VNET “SatishVnet1” has 3 subnets   InfraSubnet1, APPSubnet1 and DBSubnet1
                        i. Subnet “InfraSubnet1” 192.168.10.0/ 24 contains VM ClientVM1
                       ii. Subnet “APPSubnet1” 192.168.11.0/24 contains VM WebVM1
                      iii. Subnet “DBSubnet1” 192.168.12.0/24 contains VM SQLVM1

Before I set few scenarios for this exercise, let us review the current VNET and VM Configuration to ensure VMs are in correct subnet.
1. Use following PS cmdlets to review current address space for VNET “SatishVnet1”
Get-AzureVNetConfig | select -ExpandProperty XMLconfiguration

Or
PS C:\azuretest> Get-AzureVNetConfig -ExportToFile c:\azuretest\satishvnetconfig.xml

2. Review the VM configuration status
PS C:\test\scripts> get-azurevm -ServiceName satishVnet1cloudsvc | select-object name, ipaddress, instancestatus | where {$_.instancestatus -eq "ReadyRole"}

Name IpAddress InstanceStatus
---- --------- --------------
ClientVM1 192.168.10.4 ReadyRole
SQLVM1 192.168.12.4 ReadyRole
webvm1 192.168.10.100 ReadyRole

The first thing I want to do is move VM “webvm1” in the correct subnet “APPSubnet1" which is 192.168.11.0/24
(In my scenario since webvm1 is having static IP address, I had to perform additional steps)

3. Get a static IP address of the VM
PS C:\azuretest> $staticipvm=get-azurevm -servicename 'satishVnet1cloudsvc' -name 'webvm1'
PS C:\azuretest> Get-AzureStaticVNetIP -vm $staticipvm

IPAddress
---------
192.168.10.100

4. Remove Static IP from VM webvm1 and move it to subnet “APPSubnet1”

PS C:\azuretest> Get-AzureVM -ServiceName satishVnet1cloudsvc -Name webvm1 | Remove-
AzureStaticVNetIP | Update-AzureVM

PS C:\azuretest> Get-AzureVM –ServiceName satishVnet1cloudsvc –Name webvm1 | Set-AzureSubnet –SubnetNames APPSubnet1 | Update-AzureVM

Wait for a minute or so for the VM to restart

5. Review the VM Configuration Status to verify webvm1 is on 192.168.11.0/24 subnet

Name IpAddress InstanceStatus
---- --------- --------------
ClientVM1 192.168.10.4 ReadyRole
SQLVM1 192.168.12.4 ReadyRole
webvm1 192.168.11.4 ReadyRole

Now let us test few scenarios to control traffic between subnets within a VNET

Scenario

a. Create a rule to allow port 80 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1” to subnet “APPSubnet1”
(VM “WEBVM1” in subnet “APP1Subnet1” currently listens on TCP port 25/53/80)

b. Block all traffic to 192.168.11.0 except http inbound from 192.168.10.0/24 to 192.168.11.0/24

c. Create another rule to allow another port 25 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”

d. Remove the rule that you created for Task “a” and “c” above and allow VM’s in subnet “APPSubnet1” to listen on a port range from 25 to 80 from subnet “InfraSubnet1” instead of port 25 and 80 only and ensure task “b” does not get affected.

e. Review network security group rules

f. Remove Network Security Group (roll back to default setting)

a) Create a rule to allow port 80 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic from subnet “InfraSubnet1” to subnet “APPSubnet1”

Create a Security Group called "AzureSNG1-80"
PS C:\scripts> New-AzureNetworkSecurityGroup -Name "AzureSNG1-80" -location "East US"

Name Location
---- --------
AzureSNG1-80 East US

Associate Security Group to "APPSubnet1"
PS C:\ > Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | set-AzureNetworkSecurityGrouptoSubnet -VirtualNetworkName " SatishVnet1" -subnetname "APPSubnet1"

Allow http traffic to "APPSubnet1" from “InfraSubnet1”
PS C:\ > get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow Http" -type Inbound -priority 100 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "80" -protocol TCP

Name : AzureSNG1-80
Rules :
Type: Inbound

        Name Priority Action Source Address Source Port Destination Destination Protocol
                                                Prefix Range Address Prefix Port Range
        ---- -------- ------ --------------- ------------- ---------------- -------------- --------
        Allow Http 100 Allow 192.168.10.0/24 * 192.168.11.0/24 80 TCP

Block all other traffic from 192.168.10.0/24 to 192.168.11.0/24
PS C:\test\scripts> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | SET-AzureNetworkSecurityRule -name "Block all" -type Inbound -Priority 200 -action Deny -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "*" -protocol *

Name : AzureSNG1-80
Rules :

Type: Inbound

Test/Verify the results
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 80

Querying target system called:
192.168.11.4
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 80 (http service): LISTENING
C:\PortQryV2>portqry -n 192.168.11.4 -p tcp -e 25
Querying target system called:
192.168.11.4
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 25 (smtp service): FILTERED

b. Block all traffic to 192.168.11.0 except http inbound from 192.168.10.0/24 to 192.168.11.0/24

PS C:\> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | SET-AzureNetworkSecurityRule -name "Block all" -type Inbound -Priority 200 -action Deny -sourceaddressprefix "*" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "*" -protocol *

c. Create another rule to allow another port 25 from subnet “InfraSubnet1” to subnet “APPSubnet1” and block all other traffic to subnet “APPSubnet1”

PS C:\> get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow smtp" -type Inbound -priority 110 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "25" -protocol TCP

PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | remove-azurenetworksecurityrule -name "Allow http"
PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | remove-azurenetworksecurityrule -name "Allow smtp"
PS C:\> get-AzureNetworkSecurityGroup -name "AzureSNG1-80" | set-AzureNetworkSecurityRule -Name "Allow Http" -type Inbound -priority 100 -action Allow -sourceaddressprefix "192.168.10.0/24" -sourceportrange "*" -destinationaddressprefix "192.168.11.0/24" -destinationportrange "25-80" -protocol TCP

e . Review network security group rules

PS C:\> Get-AzureNetworkSecurityGroup -name "AzureSNG1-80" -detailed

Name : AzureSNG1-80
Rules :

Type: Inbound

f. Remove the Network Security Group

PS C:\> Get-AzureNetworkSecurityGroup -Name "AzureSNG1-80" | Remove-AzureNetworkSecurityGroupfromSubnet -VirtualNetworkName " SatishVnet1" -subnetname "APPSubnet1"
PS C:\> Remove-AzureNetworkSecurityGroup "AzureSNG1-80"

More details:

https://msdn.microsoft.com/en-us/library/azure/dn848316.aspx

https://azure.microsoft.com/blog/2014/11/04/network-security-groups/

DISCLAIMER: This posting is provided "AS IS" with no warranties and confers no rights

Network Security Groups - Managing VMs in Azure IAAS with Azure PowerShell- Part 2

Additional resources