Firewall – Restrict traffic between peered VNETs in Azure

azureazure-networkingfirewallvirtual-network

I'm working with Azure, and I have 2 VNETs, each in its own resource group

                                  Peering
                                     +
                                     |
                                     |
                                     |
                                     |
+------------------------------+     |      +-------------------------------------+
|     Test Resource Group      |     |      |          Prod Resource Group        |
|                              |     |      |                                     |
|   +----------------------+   |     v      |   +-----------------------------+   |
|   |       Test VNET      |   |            |   |          Prod VNET          |   |
|   |                      <--------------------+                             |   |
|   |                      |   |            |   |                             |   |
|   |                      +-------------------->                             |   |
|   |                      |   |            |   |                             |   |
|   |                      |   |            |   |                             |   |
|   +----------------------+   |            |   +-----------------------------+   |
|                              |            |                                     |
+------------------------------+            +-------------------------------------+

What I want to do is lock down the peering, such that traffic between the VNETs is restricted to a particular port on a particular VM, without affecting any of the existing firewall rules that are in place.

Would adding an NSG (Network Security Group) to the subnets allow me to do this?

Best Answer

Depending on your requirement, Network Security Groups is one of the built in way of restricting network access. They also have firewall appliances that you could use if you have a requirement for logging.

Best practice for NSG is to cast more general restrictions on your network, and more granular restrictions on the NICs of your VMs. Do some planning on how you would want to have it setup, read some best practices, and you'll be successful.

Related Solutions

Azure – the difference between an Azure network security group and a VNET

NSG's could, I suppose have been implemented as part of the vNet, but actually the current approach provides more flexibility, especially if you are using templates to deploy.

vNets are your containers that provide communication between between VM's and a boundary between your environment and the outside world. Inside vNets you will create subnets to organise your network as you like and configure routing rule to define how traffic flows (if you don't like the defaults). vNets also provide the functionality to hook into things like VPN's and Express route.

NSG's are your firewalls that determine what traffic is allowed through. The important thing to note is that NSG's can be applied to individual machines, or to subnets. This distinction means you can apply an NSG to subnet and it can control what traffic is allowed in both from teh outside world, but also from other subnets on your network. Alternatively you can define it at the VM/NIC level and lock things down just for that VM.

Azure Network Security Group – Fix Inbound Ports Not Working

According to your description, it seems that your service is not listening or listening on 127.0.0.1.

You could use netstat -ant|grep <port>. The result should be like below:

tcp        0      0 0.0.0.0:<port>              0.0.0.0:*               LISTEN

The service could not listen on 127.0.0.1. It should be listening on 0.0.0.0 or VM private IP(such as 10.0.0.4).

You could check inside your VM, curl 127.0.0.1:<port>. Please ensure it could provide service.

Best Answer

Related Solutions

Azure – the difference between an Azure network security group and a VNET

Azure Network Security Group – Fix Inbound Ports Not Working

Related Topic