Exercise 2 – Secure network access using an NSG
This section will look at creating an NSG and associating with a subnet; adding an inbound rule, allowing us to connect to a VM over RDP while restricting connections to access from a known IP address only; then, creating an outbound rule to deny internet access.
For this exercise, we will create a new VM.
In the following sub-sections, you can see the procedure to complete the exercise, segregated into tasks for a better understanding.
Task: Access the Azure portal
- Log in to the Azure portal at https://portal.azure.com. You can alternatively use the Azure desktop app, found at https://portal.azure.com/App/Download.
Task: Create a VM
- In the search bar, type in virtual machines; click Virtual machines from the list of services.
- From the Virtual machines blade, click + Create and then Virtual machine from the top menu of the blade.
- Set Project and Instance details and Administrative accounts as required.
- Set Public inbound port rules to None.
- Set Licensing at the default of unchecked (that is, No) to use an existing Windows Server license.
- Click Next: Disks.
- Leave set at defaults.
- Click Next: Networking.
- From Network interface, set the following:
- Virtual network—Use the default provided.
- Subnet—Use the default provided.
- Public IP—Click Create new, then enter a name and click OK.
- NIC network security group—Select None.
- Leave all other settings at defaults.
- Click Next: Management.
- Leave set at defaults.
- Click Next: Advanced.
- Leave set at defaults.
- Click Next: Tags and add any tags as required; click Next: Review + create.
- On the Review + create tab, review your settings; you may go back to the previous tabs and make any edits if required. Once you have confirmed your settings are as required, you can click Create.
- You will receive a notification that the resource was created successfully.
Task: Create an NSG
- In the search bar, type in network security groups; click network security groups from the list of services.
- From the Virtual machines blade, click + Create from the top menu of the blade.
- Set Project and Instance details and Administrative accounts as required.
- Click Next: Tags and add any tags as required; click Next: Review + create.
- On the Review + create tab, review your settings; you may go back to the previous tabs and make any edits if required. Once you have confirmed your settings are as required, you can click Create.
- You will receive a notification that the resource was created successfully.
- Click Go to resource from the deployment blade; alternatively, navigate to the Azure NSG instance.
Task: Associate NSG to a subnet
- From the Created NSGs blade of the instance created, click Subnets under Settings.
- Click + Associate from the top toolbar.
- Select the VNet and subnet of the VM you created in the previous exercise from the Associate subnet blade.
- Click OK.
- You will receive a notification that the changes were saved successfully.
Task: Attempt to connect to a VM using RDP
- Navigate to the VM created in this exercise.
- From the Overview pane, click Connect and then click RDP.
- From the Connect pane, click Download RDP file.
- Open the downloaded file and click Connect.
- You will see a message box that says Remote Desktop can’t connect to the remote computer. This is to be expected, and we will resolve this in the next task to allow a connection.
Task: Add an inbound rule to allow RDP access
- From the Virtual machines blade, click Networking under Settings. You will see that from the inbound port rules, all inbound connections are denied unless their source is the VNet or Azure Load Balancer.
- From Inbound port rules blade, click Add inbound port rule.
- Open a browser and from Google, type what’s my ip and note your IP for the next step.
- From the Add inbound security rule blade, leave all other options at their defaults apart from the following:
- Source—Select IP addresses.
- Source IP addresses/CIDR ranges—Set to your IP from the previous step.
- Service—Select RDP.
- Action—Ensure Allow is set.
- Name—Provide a name, such as AllowInbound_RDP_KnownIP.
- Description—Enter as required.
- Click Add.
- You will receive a notification that the rule was created successfully.
- Open the downloaded file again and click Connect.
- This time, you will be prompted to enter your credentials and will be able to connect to the VM successfully.
Task: Access the internet from the VM
43. While logged in to the VM, open a browser and confirm you have reached the internet by visiting a site such as www.milesbetter.solutions (you may need to adjust Internet Explorer (IE) security settings). We will restrict this access to the internet in the next exercise.
Task: Add an outbound rule to deny internet access
- From the Virtual machines blade, click Networking under Settings; you will see from the Outbound port rules tab that all outbound connections are allowed to the internet.
- From Outbound port rules blade, click Add outbound port rule.
- From the Add outbound security rule blade, leave all other options at default apart from the following:
- Destination—Select Service tag.
- Destination service tag—Select Internet.
- Destination port ranges—Enter the symbol * (asterisk symbol).
- Action—Ensure Deny is set.
- Priority—Enter a value of 200.
- Name—Provide a name, such as DenyOutbound_Internet.
- Description—Enter as required.
- Click Add.
- You will receive a notification that the rule was created successfully.
- From the VM, open a browser again and confirm you can no longer reach the internet by visiting a site such as www.milesbetter.solutions.
- This time, you will see a message from the browser such as Can’t reach this page.
In this exercise, we successfully created an NSG and associated with a subnet; we added an inbound rule that allows us to connect to a VM over RDP while restricting connections to be able to access from a known IP address only; then, we created an outbound rule to deny internet access.
This section covered hands-on exercises. The following section provides a summary of this chapter.