- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
- Bulk restore deleted Azure AD users - Wed, Dec 29 2021
Network security groups (NSGs) have several new features allowing network administrators to manage security rules more flexibly. With these features, administrators can simply create more effective rules using pre-defined tags, multiple IPs, and application-specific settings in NSGs.
Service tags ^
Service tags are predefined IP addresses representing specific services or resources. You cannot create custom tags nor edit existing default tags. The following default service tags are available in Azure:
Internet: This one includes all publicly reachable internet IP addresses outside the virtual network (VNet).
VirtualNetwork: Covers the address space of a virtual network used by resources.
AzureLoadBalancer: Represents an Azure Load Balancer in use.
AzureTrafficManager: Defines the IP address space for the Azure Traffic Manager service.
Storage: Contains the IP address space of the Azure Storage Service. Region-based tags are also available as sub-items underneath the Storage tag.
Sql: Covers all IP addresses of the Azure SQL Database and Azure SQL Data Warehouse services. Region-based tags are also available for Sql.
With service tags, it is easier to specify an entire VNet or any IP addresses that a SQL server uses. This feature is available in both Azure Portal and PowerShell.
In PowerShell, you can use service tags as they appear in Azure Portal. The following example creates a new outbound rule from a VNet to Azure SQL Service IPs in the North Europe region to allow port 1433:
$nsg=Get-AzureRmNetworkSecurityGroup -Name TestNSG2 -ResourceGroupName 4SYSOPS $nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Allow_SQL_Access -Description "Allow port 1433 for SQL in NorthEurope" -Access Allow -Protocol Tcp -Direction Outbound ‑Priority 110 -SourceAddressPrefix VirtualNetwork -SourcePortRange 1433 ‑DestinationAddressPrefix "SQL.NorthEurope" -DestinationPortRange 1433 | Set-AzureRmNetworkSecurityGroup
Augmented security rules ^
With this extended feature, you can add multiple ports, multiple IP addresses, service tags, and application security groups into a single security rule. This allows us to use fewer security rules to manage network traffic in Azure.
This is particularly handy for services with hundreds of IP addresses, which you can easily manage in a single security rule. It's also pretty useful to be able to add multiple Azure Data Center IP addresses into a single rule, since this task requires administrators to update their NSGs pretty often. So you can easily add hundreds of Azure Data Center IP addresses into NSGs in seconds.
In the following example, I will specify five different IP addresses and IP address spaces within a single rule.
$AugmentedRule1 = New-AzureRmNetworkSecurityRuleConfig ` -Name "ApplicationServers" ` -Access Allow ` -Protocol Tcp ` -Direction Inbound ` -Priority 110 ` -SourceAddressPrefix Internet ` -SourcePortRange * ` -DestinationAddressPrefix "10.10.10.10","18.104.22.168","22.214.171.124/24","126.96.36.199/16","188.8.131.52" ` -DestinationPortRange 443 $nsg = New-AzureRmNetworkSecurityGroup ` -ResourceGroupName 4SYSOPS ` -Location NorthEurope ` -Name NSG-WITH-AUGMENTED-RULES ` -SecurityRules $AugmentedRule1
We can see the result in Azure Portal. In this way, we've created a single rule with multiple destinations.
We can obtain the same result through PowerShell with the following command:
Get-AzureRmNetworkSecurityGroup -Name "NSG-WITH-AUGMENTED-RULES" -ResourceGroupName 4SYSOPS | SELECT -ExpandProperty SecurityRules
In addition to service tags, we can specify multiple IP addresses for both source and destination endpoints with this enhanced feature. This way, we can manage network traffic in NSGs using far fewer rules and with less administrative effort.
In this post, we've had a look at some useful NSG features to manage Azure network traffic more efficiently.
In part III, we will take a look at application security rules and integrate them with network security groups to allow us to use NSGs at the application level.