NSGs - Configure

🎯 Lab Objective

In this hands-on lab, you will learn how to:

Create Network Security Groups (NSGs) for different network tiers
Associate NSGs with subnets and network interfaces
Configure security rules to control inbound and outbound traffic
Test connectivity between different network segments
Implement network segmentation using NSG rules
Understand the difference between subnet-level and NIC-level NSG associations

Goal: Implement network security controls to segment web and application tiers while maintaining necessary connectivity.

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	`NSG-Lab-RG`	Contains all lab resources	Logical container
Virtual Network	`NSG-Lab-VNet`	Address space: 10.0.0.0/16	Network foundation
Web Subnet	`WebSubnet`	Range: 10.0.1.0/24	Web tier network
App Subnet	`AppSubnet`	Range: 10.0.2.0/24	Application tier network
Web VM	`WebVM`	Windows Server with RDP	Web tier server
App VM	`AppVM`	Ubuntu Linux with SSH	Application tier server
Public IPs	Various	External connectivity	Remote access

Network Architecture

NSG-Lab-VNet (10.0.0.0/16)
├── WebSubnet (10.0.1.0/24)
│   └── WebVM (Windows Server)
│       └── WebSubnet-NSG (to be created)
└── AppSubnet (10.0.2.0/24)
    └── AppVM (Ubuntu Linux)
        └── AppSubnet-NSG (to be created)

VM Details

VM	Operating System	Private IP	Public IP	Access Method
WebVM	Windows Server 2019	10.0.1.4	Dynamic	RDP (port 3389)
AppVM	Ubuntu 20.04 LTS	10.0.2.4	Dynamic	SSH (port 22)

🚀 Lab Exercises

Part 1: Create Network Security Groups

Step 1: Navigate to NSG Creation

Open the Azure Portal
Search for “Network security groups”
Click + Create

Step 2: Create Web Tier NSG

Setting	Value	Notes
Subscription	Your subscription	Pre-selected
Resource group	`NSG-Lab-RG`	Use existing
Name	`WebSubnet-NSG`	Web tier security
Region	Same as VNet	Must match

Click Review + create
Click Create

Step 3: Create App Tier NSG

Repeat the process with these settings:

Setting	Value	Notes
Name	`AppSubnet-NSG`	App tier security
Resource group	`NSG-Lab-RG`	Same as before
Region	Same as VNet	Must match

⏱️ Creation Time: NSGs typically create within 1-2 minutes.

Part 2: Associate NSGs with Subnets

Step 1: Associate Web Subnet NSG

Navigate to NSG-Lab-RG resource group
Click on WebSubnet-NSG
In the left menu, select Subnets
Click + Associate

Setting	Value	Notes
Virtual network	`NSG-Lab-VNet`	Select the VNet
Subnet	`WebSubnet`	Web tier subnet

Click OK

Step 2: Associate App Subnet NSG

Click on AppSubnet-NSG
In the left menu, select Subnets
Click + Associate

Setting	Value	Notes
Virtual network	`NSG-Lab-VNet`	Select the VNet
Subnet	`AppSubnet`	App tier subnet

Click OK

🔍 Verification: Each NSG should show one associated subnet in the Subnets blade.

Part 3: Configure Web Tier Security Rules

Step 1: Allow RDP Access to Web Tier

Navigate to WebSubnet-NSG
In the left menu, click Inbound security rules
Click + Add

Step 2: Configure RDP Rule

Setting	Value	Purpose
Source	My IP address	Your current IP
Source port ranges	*	Any source port
Destination	Any	Any destination
Service	RDP	Pre-configured RDP
Action	Allow	Permit traffic
Priority	1000	Rule precedence
Name	`Allow-RDP-MyIP`	Descriptive name
Description	`Allow RDP from my IP`	Rule purpose

Click Add

Step 3: Block Inter-Subnet Communication

Click + Add for another inbound rule

Setting	Value	Purpose
Source	IP Addresses	Specific IP range
Source IP addresses/CIDR ranges	`10.0.2.0/24`	AppSubnet range
Source port ranges	*	Any source port
Destination	Any	Any destination
Service	Custom	Custom rule
Destination port ranges	*	All ports
Protocol	Any	All protocols
Action	Deny	Block traffic
Priority	1100	Lower than allow rules
Name	`Block-From-AppSubnet`	Descriptive name

Click Add

Part 4: Configure App Tier Security Rules

Step 1: Allow SSH Access to App Tier

Navigate to AppSubnet-NSG
In the left menu, click Inbound security rules
Click + Add

Step 2: Configure SSH Rule

Setting	Value	Purpose
Source	My IP address	Your current IP
Source port ranges	*	Any source port
Destination	Any	Any destination
Service	SSH	Pre-configured SSH
Action	Allow	Permit traffic
Priority	1000	Rule precedence
Name	`Allow-SSH-MyIP`	Descriptive name

Click Add

Step 3: Allow Web Tier Communication (Optional)

Click + Add for another rule

Setting	Value	Purpose
Source	IP Addresses	Specific IP range
Source IP addresses/CIDR ranges	`10.0.1.0/24`	WebSubnet range
Destination	Any	Any destination
Service	Custom	Custom rule
Destination port ranges	`80,443`	HTTP/HTTPS
Protocol	TCP	Web protocols
Action	Allow	Permit traffic
Priority	1200	After other rules
Name	`Allow-Web-To-App`	Descriptive name

Click Add

Part 5: Test Network Connectivity

Step 1: Connect to Web VM

Navigate to WebVM in your resource group
Click Connect → RDP
Download the RDP file and connect using:
- Username: azureuser
- Password: LabPassword123!

Step 2: Test Connectivity from Web VM

Once connected to WebVM, open Command Prompt and run:

# Test connectivity to App VM (should fail due to NSG rule)
ping 10.0.2.4

# Test internet connectivity (should succeed)
ping 8.8.8.8

# Test DNS resolution
nslookup google.com

Expected Results:

❌ Ping to AppVM (10.0.2.4) should fail or timeout
✅ Ping to internet (8.8.8.8) should succeed
✅ DNS resolution should work

Step 3: Connect to App VM

Navigate to AppVM in your resource group
Click Connect → SSH
Use Azure Cloud Shell or your preferred SSH client:

ssh azureuser@[AppVM-Public-IP]
# Password: LabPassword123!

Step 4: Test Connectivity from App VM

Once connected to AppVM, run:

# Test connectivity to Web VM (behavior depends on NSG rules)
ping 10.0.1.4

# Test internet connectivity (should succeed)
ping 8.8.8.8

# Test web access
curl -I http://google.com

Expected Results:

❓ Ping to WebVM depends on your NSG configuration
✅ Internet connectivity should work
✅ Web access should function

Part 6: Advanced NSG Configuration

Step 1: Enable ICMP Between Subnets

Navigate to AppSubnet-NSG
Click Inbound security rules
Find the rule blocking WebSubnet traffic
Click + Add to create an exception:

Setting	Value	Purpose
Source	IP Addresses	WebSubnet
Source IP addresses	`10.0.1.0/24`	Web tier
Service	Custom	ICMP protocol
Protocol	ICMP	Ping protocol
Action	Allow	Permit pings
Priority	1050	Higher than deny rule
Name	`Allow-ICMP-From-Web`	Descriptive

Click Add

Step 2: Test ICMP Connectivity

From WebVM command prompt:

# This should now succeed
ping 10.0.2.4

Step 3: Use Service Tags

Create a new rule using Service Tags:

Setting	Value	Purpose
Source	Service Tag	Azure service
Source service tag	VirtualNetwork	All VNet traffic
Destination	Any	Any destination
Service	Custom	Custom ports
Destination port ranges	`8080`	Custom app port
Action	Allow	Permit traffic

Part 7: Alternative NIC-Level Association

Step 1: Disassociate from Subnet

Navigate to WebSubnet-NSG
Click Subnets
Select the associated subnet
Click Dissociate
Confirm the action

Step 2: Associate with Network Interface

In WebSubnet-NSG, click Network interfaces
Click + Associate
Select the WebVM network interface
Click OK

Step 3: Test Differences

Compare the behavior:

Association Level	Scope	Management
Subnet	All resources in subnet	Centralized
NIC	Individual VM only	Granular

Part 8: Monitor and Analyze Traffic

Step 1: View Effective Security Rules

Navigate to WebVM
Click Networking in the left menu
Click Effective security rules
Observe: Combined rules from NSG and default rules

Step 2: Enable NSG Flow Logs (Optional)

Navigate to WebSubnet-NSG
Click NSG flow logs in the left menu
Click + Create flow log
Configure basic settings:

Setting	Value	Purpose
Name	`WebNSG-FlowLogs`	Log identifier
Storage account	Create new	Log storage
Retention	7 days	Log retention

Click Create

🔧 Troubleshooting Guide

Common Issues and Solutions

Issue	Possible Cause	Solution
Can’t RDP to WebVM	RDP rule not configured	Add inbound rule for RDP (3389)
Can’t SSH to AppVM	SSH rule missing	Add inbound rule for SSH (22)
Ping always fails	ICMP not allowed	Add ICMP allow rule
Rules not working	Wrong priority order	Check rule priorities (lower number = higher priority)
VM not accessible	NSG not associated	Verify NSG-subnet association

NSG Rule Evaluation Order

Explicit Allow Rules (lowest priority number first)
Explicit Deny Rules (lowest priority number first)
Default Rules (system-defined, highest priority numbers)

🧪 Additional Experiments

Try these optional exercises to deepen your understanding:

Application Security Groups: Create ASGs for more granular control
Service Tags: Experiment with different Azure service tags
Augmented Security Rules: Use source/destination prefixes
Flow Log Analysis: Analyze traffic patterns using flow logs
Multiple NSGs: Test behavior with NSGs on both subnet and NIC

🎓 Key Takeaways

After completing this lab, you should understand:

NSGs provide stateful firewalling for Azure resources
Subnet-level NSGs affect all resources in the subnet
NIC-level NSGs provide granular, per-VM control
Rule priorities determine evaluation order (lower number = higher priority)
Default rules allow VNet-to-VNet and outbound internet traffic
Service tags simplify rule creation for Azure services
Flow logs enable traffic analysis and troubleshooting