This article is about how to create a Network Security Group in Azure Cloud. NSG (a very basic firewall) is a service provided by Azure cloud to manage the traffic flow in Azure virtual network and resources.
The traffic management is done by access control lists (ACL). The security rules defines the protocol (TCP, UDP, ICMP), source, source port, destination, destination port, allow/deny and priority. NSG can be attached to the subnet or virtual machines NIC and the security rules are applied to the whole subnet or the virtual machines accordingly.

NSG is stateful, which means if an incoming port is open and when a connection hits the port, outgoing port is automatically opened to allow the return traffic.

In the previous post, we saw how to create virtual network and subnets in Azure.

Existing infrastructure diagram (refer the above mentioned article)

Virtual network and Subnets

This article will describe how to create two network security group for the internal and DMZ subnet.

For the subnets, two NSG is required to manage the traffic.


#Connect to azure network
Connect-AzAccount 

#virtual network information
$resource_locaton_main = 'West US'
$resourceGroup_Name = "RG-HOSite"
$vnet_Name = "vnet-ho"

#Fetching information about resource group and virtual network
$rg = Get-AzResourceGroup $resourceGroup_Name
$vnet = Get-AzVirtualNetwork -Name $vnet_Name -ResourceGroupName $rg.ResourceGroupName

#Getting subnet information from the virtual network object
$subnet_INT = $vnet.Subnets[0]
$subnet_DMZ = $vnet.Subnets[1]


#Creating internal network NSG
$nsg_int = New-AzNetworkSecurityGroup -Name "nsg-int" `
-Location $rg.Location `
-ResourceGroupName $rg.ResourceGroupName

#Adding the nsg to VNET INT
Set-AzVirtualNetworkSubnetConfig -NetworkSecurityGroup $nsg_int `
-Name $subnet_INT.Name `
-VirtualNetwork $vnet `
-AddressPrefix $subnet_INT.AddressPrefix | Set-AzVirtualNetwork

#Creating DMZ network NSG
$nsg_dmz = New-AzNetworkSecurityGroup -Name "nsg-dmz" `
-Location $vnet.Location `
-ResourceGroupName $rg.ResourceGroupName

#adding the DMZ NSG to subnet
Set-AzVirtualNetworkSubnetConfig -Name $subnet_DMZ.Name  `
-VirtualNetwork $vnet  `
-NetworkSecurityGroup $nsg_dmz `
-AddressPrefix $subnet_DMZ.AddressPrefix | Set-AzVirtualNetwork

Executing the above script will create two NSG and attach to the internal and DMZ subnet as shown below.

Hope this is informative and thank you for reading.