Hands-On Networking with Azure
上QQ阅读APP看书,第一时间看更新

Inbound security rules

By default, all the subnets and NICs that are not associated with NSG have all the inbound traffic allowed and once they are associated with an NSG, the following inbound security rules are assigned to them as they are a default part of any NSG:

  • AllowVnetInBound: Allows all the inbound traffic that comes from a virtual network
  • AllowAzureLoadBalancerInBound: Allows all the inbound traffic that comes from Load Balancer
  • DenyAllInbound: Denies all the inbound traffic that comes from any source
Figure 2.14: Default inbound security rules

As shown in the previous screenshot, the rule consists of some properties, such as PRIORITY, NAME, PORT, and so on.

It is important to understand what these properties mean for a better understanding of security rules. So, let's go ahead and explain them:

  • PRIORITY: A number assigned to each rule to specify which rule has a higher priority than the other. The lower the number, the higher the priority. You can specify a priority with any number between 100 and 4096.
  • NAME: The name of the rule. The same name cannot be reused within the same network security group.
  • PORT: The allowed port through which the traffic will flow to the network.
  • PROTOCOL: Specify whether the protocol you are using is TCP or UDP.
  • SOURCE and DESTINATION: The source can be any, an IP address range, or a service tag.
You can remove the default rules by clicking on Default rules.

You can customize your own inbound rules, by following these steps:

  1. On the Inbound security rules blade, click on Add.
  2. A new blade will pop up, where you have to specify the following:
    • Source: The source can be Any, an IP address range, or a service tag. It specifies the incoming traffic from a specific source IP address range that will be allowed or denied by this rule.
    • Source port ranges: You can provide a single port, such as 80, a port range, such as 1024 - 65535, or a comma-separated list of single ports and/or port ranges, such as 80, 1024 - 65535. This specifies on which ports traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic on any port.
    • Destination: The destination can be Any, an IP address range, or a virtual network. It specifies the outing traffic to a specific destination IP address range that will be allowed or denied by this rule.
    • Destination port ranges: What applies for the source port ranges, applies for the destination port ranges.
    • Protocol: It can be Any, TCP, or UDP.
    • Action: Whether to Allow the rule or to Deny it.
    • Priority: As mentioned earlier, the lower the number, the higher the priority. The priority number must be between 100 - 4096.
    • Name: The name of the rule.
    • Description: The description of the rule, which will help you to differentiate between the rules.
  1. In our scenario, I want to allow all the incoming connections to access a website published on a web server located in a virtual network, as shown in the following screenshot:
Figure 2.15: Creating an inbound security rule
  1. Once you click on OK, the rule will be created.