In this second article about Azure network security groups, we will see how we manage service tags and augmented security rules with PowerShell.
Latest posts by Baki Onur Okutucu (see all)

Network security groups (NSGs) have several new features allowing network administrators to manage security rules more flexibly. With these features, administrators can simply create more effective rules using pre-defined tags, multiple IPs, and application-specific settings in NSGs.

Service tags ^

Service tags are predefined IP addresses representing specific services or resources. You cannot create custom tags nor edit existing default tags. The following default service tags are available in Azure:

Internet: This one includes all publicly reachable internet IP addresses outside the virtual network (VNet).

VirtualNetwork: Covers the address space of a virtual network used by resources.

AzureLoadBalancer: Represents an Azure Load Balancer in use.

AzureTrafficManager: Defines the IP address space for the Azure Traffic Manager service.

Storage: Contains the IP address space of the Azure Storage Service. Region-based tags are also available as sub-items underneath the Storage tag.

Sql: Covers all IP addresses of the Azure SQL Database and Azure SQL Data Warehouse services. Region-based tags are also available for Sql.

Service tags in Azure Portal

Service tags in Azure Portal

With service tags, it is easier to specify an entire VNet or any IP addresses that a SQL server uses. This feature is available in both Azure Portal and PowerShell.

Service tags can apply to either a source or destination

Service tags can apply to either a source or destination

In PowerShell, you can use service tags as they appear in Azure Portal. The following example creates a new outbound rule from a VNet to Azure SQL Service IPs in the North Europe region to allow port 1433:

$nsg=Get-AzureRmNetworkSecurityGroup -Name  TestNSG2 -ResourceGroupName 4SYSOPS
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Allow_SQL_Access -Description "Allow port 1433 for SQL in NorthEurope" -Access Allow -Protocol Tcp -Direction Outbound ‑Priority 110 -SourceAddressPrefix VirtualNetwork -SourcePortRange 1433 ‑DestinationAddressPrefix "SQL.NorthEurope"  -DestinationPortRange 1433 | Set-AzureRmNetworkSecurityGroup

Augmented security rules ^

With this extended feature, you can add multiple ports, multiple IP addresses, service tags, and application security groups into a single security rule. This allows us to use fewer security rules to manage network traffic in Azure.

This is particularly handy for services with hundreds of IP addresses, which you can easily manage in a single security rule. It's also pretty useful to be able to add multiple Azure Data Center IP addresses into a single rule, since this task requires administrators to update their NSGs pretty often. So you can easily add hundreds of Azure Data Center IP addresses into NSGs in seconds.

In the following example, I will specify five different IP addresses and IP address spaces within a single rule.

$AugmentedRule1 = New-AzureRmNetworkSecurityRuleConfig `
  -Name "ApplicationServers" `
  -Access Allow `
  -Protocol Tcp `
  -Direction Inbound `
  -Priority 110 `
  -SourceAddressPrefix Internet `
  -SourcePortRange * `
  -DestinationAddressPrefix "","","","","" `
  -DestinationPortRange 443

$nsg = New-AzureRmNetworkSecurityGroup `
  -ResourceGroupName 4SYSOPS `
  -Location NorthEurope `
  -SecurityRules $AugmentedRule1
Creating a new augmented security rule

Creating a new augmented security rule

We can see the result in Azure Portal. In this way, we've created a single rule with multiple destinations.

Augmented security rules in Azure Portal

Augmented security rules in Azure Portal

We can obtain the same result through PowerShell with the following command:

Get-AzureRmNetworkSecurityGroup -Name "NSG-WITH-AUGMENTED-RULES" -ResourceGroupName 4SYSOPS | SELECT -ExpandProperty SecurityRules
Augmented security rules through PowerShell

Augmented security rules through PowerShell

In addition to service tags, we can specify multiple IP addresses for both source and destination endpoints with this enhanced feature. This way, we can manage network traffic in NSGs using far fewer rules and with less administrative effort.

In this post, we've had a look at some useful NSG features to manage Azure network traffic more efficiently.

In part III, we will take a look at application security rules and integrate them with network security groups to allow us to use NSGs at the application level.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account