Azure Network Security Groups and Firewall

2 min read Web Security Fundamentals

Azure Network Security Groups and Firewall

Microsoft Azure provides Network Security Groups (NSGs) as the primary firewall mechanism for protecting web servers. NSGs contain security rules that allow or deny network traffic to resources in Azure virtual networks.

Creating and configuring Azure NSGs:

# Create Network Security Group
$nsg = New-AzNetworkSecurityGroup `
    -ResourceGroupName "WebServerRG" `
    -Location "East US" `
    -Name "WebServerNSG"

# Add inbound rules for web traffic
$nsg | Add-AzNetworkSecurityRuleConfig `
    -Name "AllowHTTPS" `
    -Description "Allow HTTPS" `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 100 `
    -SourceAddressPrefix Internet `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 443

$nsg | Add-AzNetworkSecurityRuleConfig `
    -Name "AllowHTTP" `
    -Description "Allow HTTP" `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 110 `
    -SourceAddressPrefix Internet `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 80

# Restrict SSH access
$nsg | Add-AzNetworkSecurityRuleConfig `
    -Name "AllowSSHFromAdmin" `
    -Description "Allow SSH from admin network" `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 120 `
    -SourceAddressPrefix "10.0.0.0/24" `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 22

# Update the NSG
$nsg | Set-AzNetworkSecurityGroup

Azure Firewall provides centralized network security policy enforcement:

# Create Azure Firewall
$firewall = New-AzFirewall `
    -Name "WebServerFirewall" `
    -ResourceGroupName "WebServerRG" `
    -Location "East US" `
    -VirtualNetworkName "WebServerVNet" `
    -PublicIpName "FirewallPublicIP"

# Configure application rules
$appRule = New-AzFirewallApplicationRule `
    -Name "AllowWebTraffic" `
    -SourceAddress "10.0.1.0/24" `
    -Protocol "http:80","https:443" `
    -TargetFqdn "*.windowsupdate.com","*.ubuntu.com"

$appRuleCollection = New-AzFirewallApplicationRuleCollection `
    -Name "WebServerAppRules" `
    -Priority 100 `
    -Rule $appRule `
    -ActionType "Allow"

$firewall.ApplicationRuleCollections.Add($appRuleCollection)
Set-AzFirewall -AzureFirewall $firewall