Using a priority value (low is high, and high is low), we can stack rules to create a granular policy. For example, a low priority rule can block all inbound traffic and a high priority rule can allow TCP 3389 (remote desktop aka RDP) in.<\/p>\n
The below rule allows HTTP traffic into a virtual subnet.<\/p>\n
We can associate an NSG with:<\/p>\n The preferred option is to enforce the rule at the subnet level, therefore a subnet is a security boundary and all machines in a subnet should have the same rules. If you need different rules for different machines, then add subnets. The stated best practice by Microsoft is to associate an NSG with a subnet.<\/p>\n An NSG contains a collection of default rules. For example:<\/p>\n It\u2019s that last rule that I\u2019m concerned with in this post. You can see the rule with a priority of 65001 below; it allows all traffic, from anywhere, to route via Azure to the Internet.<\/p>\n What does that mean?<\/p>\n That worries me. And here\u2019s why:<\/p>\n There\u2019s one great big hammer you can swing to stop all of the above. Warning: this is a hammer and should be evaluated and tested. I can put an additional outbound NSG rule to block all outbound traffic that sources from anywhere and routes to the Internet. This rule has a higher priority (lower number) than the default rules so it will override the “allow all outbound” rule and lock down my environment.<\/p>\n A variation on this approach would be to use a much higher priority, such as 4000, for this new rule, and create\u00a0other higher priority rules to allow very specific outbound access from the virtual network.<\/p>\n Thanks to stateful inspection, my inbound application traffic can still function via the inbound rules in the NSG, but the above rule denies all traffic from leaving this subnet for the Internet. Me 1, dodgy stuff 0.<\/p>\n I did compare the above to a hammer, and hammers can break things. If you follow the above, you will … break things<\/a> \ud83d\ude42 Azure requires that Azure VMs have the ability to reach the “Internet” zone to get updates from … Azure IP addresses (which are regarded as “Internet” by NSGs). The real solution is actually a lot more complex requiring a lot of rules to allow a lot of Azure IP ranges. Microsoft’s Keith Mayer has a solution <\/a>for identifying these IP addresses (documented by Microsoft) and creating filtered outbound access to just those IP addresses using PowerShell.<\/p>\n In this post I will explain how you can use Azure Network Security Groups (NSGs) to\u00a0prevent unwanted or dangerous traffic from leaving your Azure virtual machines. Have you a written policy that prevents administrators from browsing the Internet from servers? Have you found that they find creative ways to bypass your policies? Are you worried … Continue reading “Block Dodgy Admins, BotNets, and Data Leakage on Azure VMs”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":19553,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[170,80,190],"class_list":["post-19560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure","tag-networking","tag-security"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2016\/06\/image4.png\" "\\"image\\"")
<\/a><\/p>\n\n
\n
<\/a><\/p>\n\n
\n
<\/a><\/p>\nA Word of Warning<\/h2>\n