I want to secure my web server vm to limit mainly to 443 and 3389 ports strictly. I denied everything else both outbound and inbound in the NSG for the web vm. But I can't rdp after doing so. When I relax the NSG to allow all outbound, then rdp starts working. My question is what outbound ports and protocols the rdp service needs to be opened in nsg beside 3389?
thesushil: In my case it turns out, I just needed to add an outbound rule to allow Azure AD communication over http and https, because I have azure AD authentication enabled. But I think the answer below would be helpful to others.
Be default, the RDP server listens on TCP port 3389 and UDP port 3389. Read wiki. You also could change the listening port for remote desktop.
If you want to secure your Azure VM limit to 443 and 3389 ports, you can add inbound port rules like this to only allow your client-specific IP address to access your Azure VM.
Also, please note that If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port. Read https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules
Network security group security rules are evaluated by priority using
the 5-tuple information (source, source port, destination, destination
port, and protocol) to allow or deny the traffic. A flow record is
created for existing connections. Communication is allowed or denied
based on the connection state of the flow record. The flow record
allows a network security group to be stateful. If you specify an
outbound security rule to any address over port 80, for example, it's
not necessary to specify an inbound security rule for the response to
the outbound traffic. You only need to specify an inbound security
rule if communication is initiated externally. The opposite is also
true. If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port.
Existing connections may not be interrupted when you remove a security
rule that enabled the flow. Traffic flows are interrupted when
connections are stopped and no traffic is flowing in either direction,
for at least a few minutes.
Hope it helps.
Related
I wish to know how Azure NSGs work when it comes to statefulness and Denys.
For example, let's compare to AWS security groups.
# Example AWS Security Group inbound/outbound rules
Inbound: Port 80 from the internet
Outbound: Port 443 to the internet
Because of statefulness, even though I only allow 443 outbound implicitly, 80 outbound is allowed due to statefulness.
Do Azure NSGs work the same way? If I have an implicit Deny on all outbound traffic but have an Inbound rule for port 80 from some service, will outbound traffic to that service still be allowed over port 80 even with the implicit outbound deny rule?
Thanks
• Kindly do note the below points while creating rules in Network Security Groups.
a) The NSGs in Azure are Stateful. Meaning that if you open an incoming port, the outgoing port will be open automatically to allow the traffic. Thus, if you create an implicit deny rule for all the outbound traffic, but have an inbound allow rule for port 80 from some service, then this inbound rule will not take effect until it is configured at a priority higher than the ‘Deny’ rule when comparing to the corresponding inbound and outbound rules configured based on priority.
b) The default rules in a Network Security Group allow for outbound access and inbound access is denied by default. Access within the VNet is allowed by default.
c) Like normal ACLs, the rules are processed based on a priority.
d) NSGs can only be used in the Azure region that it was created in.
e) There is a soft limit of 100 NSGs per subscription and a soft limit of 200 rules per NSG.
As a result, though the NSGs are stateful, but their effective functionality depends on the priority of the rules set in the Inbound/Outbound rules allow/deny list. The higher priority, the more effective that rule will be, the lesser priority, the lesser probability of it getting effective as it will be overrided by the higher priority rules.
Kindly refer the below link for more details on the above: -
https://theithollow.com/2016/08/03/azure-network-security-groups/
Yes, Azure NSGs are stateful and work similarly.
If you specify an outbound security rule to any address over port 80,
for example, it's not necessary to specify an inbound security rule
for the response to the outbound traffic. You only need to specify an
inbound security rule if communication is initiated externally. The
opposite is also true. If inbound traffic is allowed over a port, it's
not necessary to specify an outbound security rule to respond to
traffic over the port.
Network security groups - Security rules
How we should open port 22 on aks loopback IP.
We are trying to do telnet on loopback IP using port 22 which is working fine on any Linux VM but on AKS we are getting the error Connection closed.
• Note that AKS clusters have unrestricted outbound (egress) internet access. This level of network access allows nodes and services you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible to maintain healthy cluster maintenance tasks. The simplest solution to securing outbound addresses lies in the use of a firewall device that can control outbound traffic based on domain names. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Thus, you can configure an inbound rule and an outbound rule to allow traffic on port 22, i.e., SSH for destination IP address as 127.0.0.1 (Loopback IP address). To do so, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic#adding-firewall-rules
According to the above link, you must deploy a firewall and create a UDR hop to Azure firewall and associate it to AKS. Thus, in this way, if you configure the Azure firewall with the AKS cluster, you will be able to control the ingress and egress port traffic.
From azure documentation
A fully qualified domain name (FQDN) represents a domain name of a
host or IP address(es). You can use FQDNs in network rules based on
DNS resolution in Azure Firewall and Firewall policy. This capability
allows you to filter outbound traffic with any TCP/UDP protocol
(including NTP, SSH, RDP, and more). You must enable DNS Proxy to use
FQDNs in your network rules. For more information see Azure Firewall
DNS settings. link to documenation
I want to use azure firewall to filter inbound traffic based on FQDN, for example allow just traffic from the domain out.example.com to reach our virtual network resources,
is this supported ? The doc mention just outbound traffic.
I can't filter by IP addresses as the resolved IPs of this domain (out.example.com), are not static, and this is the reason behind why I want to use the azure firewall service.
Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols.
Inbound Internet connectivity can be enabled by configuring Destination Network Address Translation (DNAT). You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic.
Application rules aren't applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). For more information, see What is Azure Web Application Firewall
I have setup a few VM's and a load balancer so that we can have one outgoing IP. Right now i am having issues to connect to the internet from inside my VM. If i open internet explorer and try to access a website, it shows waiting for reply and then "This page can’t be displayed".
Each VM is connected to the same subnet.
The subnet has a NSG attached to it and each VM is part of the subnet.
NSG attached to the subnet.
There is then a load balancer to allow incoming RDP but with different ports to the different VM's.
I think i am missing the SNAT but i have no idea where to configure that. From what i have read, i am using level 2 "Public Load Balancer associated with a VM (no Instance Level Public IP address on the instance)". Multiple VM's on a subnet and one load balancer to share one IP address.
Where do i actually go to set up the SNAT? Or is there another issue i am missing here?
Probably, you could add the load balancing rules for TCP port 80 or 443 instead of inbound NAT rules. NAT rules always use for port forwarding. Moreover, you do not need add NAT rules for DNS. This works on my side.
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
I've setup a VM and installed IIS. I checked that the firewall rules were enabled for HTTP and HTTPS. Furthermore, in Azure Portal, I've enabled the two predefined inbound security network group rules for HTTP and HTTPS.
When in the VM, I can go to localhost and see the default Web page of IIS Default Web Site.
Inbound security rule in Network Security Group
Anybody know how to go about figuring out how to make this work?
Thx
You should add port 443 and port 80 to azure VM windows firewall inbound rules.
Are the Source port ranges on your inbound rules set to 80/443 or * (i.e. all source ports)?
Try changing them to * with only the destination ports set to 80 or 443 respectively.
Ex:
Refer How to open ports to a virtual machine with the Azure portal for more details.
There are two ways to make your site accessible from the Internet.
Use the public IP address which is associated to the virtual machine's NIC.
Configure DNS for your VM machine (e.g. web.southeastasia.cloudapp.azure.com). This DNS is bounded to the associated public IP Address.
Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/portal-create-fqdn
In your IIS, just configure binding to make sure the incoming request from the Internet is recognized by IIS.
You also need to make sure you have no rule in Network Security Group (NSG) blocking port 80. Or if there is a NSG, you need to create an inbound rule to allow port 80.
I Azure Windows VM, apart from configuring the NSG rule, we should also create a Windows firewall rule to allow inbound TCP connections on the required port. Just RDP into your windows VM, open Windows Defender Firewall and add the rule