On my machine there is a web application (let's call it WebApp1) hosted in IIS, and there is a windows services Svc1 which will send request to the WebApp1 as below, the WebApp1 just handle the request and do NOT post any result back
var httpClient = new HttpClient {Timeout = 3 * 1000)};
var requestMessage = new HttpRequestMessage(HttpMethod.Post, "http://localhost:58018/MyAction");
requestMessage.Headers.Add(tokenName, tokenValue);
var response = httpClient.SendAsync(requestMessage).Result;
...
then I change the default outbound rule on the machine is set as Blocked, I want to know will this affect the 'communication' between Svc1 and WebApp1? In another words, is the outbound rule only affect the communication to the outside computer or also applied for the communication inside the local computer?
Below is got from msdn, but it does not tell too much detailed
What is an outbound rule?
Outbound rules explicitly allow, or explicitly block, network traffic
originating from the computer that matches the criteria in the rule.
For example, you can configure a rule to explicitly block outbound
traffic to a computer (by IP address) through the firewall, but allow
the same traffic for other computers.
Because outbound traffic is
allowed by default, you typically use outbound rules to block network
traffic that you do not want. You can also configure the default
action that Windows Firewall with Advanced Security takes, whether
outbound connections are allowed or blocked, when no outbound rule
applies.
Related
I wish to know how Azure NSGs work when it comes to statefulness and Denys.
For example, let's compare to AWS security groups.
# Example AWS Security Group inbound/outbound rules
Inbound: Port 80 from the internet
Outbound: Port 443 to the internet
Because of statefulness, even though I only allow 443 outbound implicitly, 80 outbound is allowed due to statefulness.
Do Azure NSGs work the same way? If I have an implicit Deny on all outbound traffic but have an Inbound rule for port 80 from some service, will outbound traffic to that service still be allowed over port 80 even with the implicit outbound deny rule?
Thanks
• Kindly do note the below points while creating rules in Network Security Groups.
a) The NSGs in Azure are Stateful. Meaning that if you open an incoming port, the outgoing port will be open automatically to allow the traffic. Thus, if you create an implicit deny rule for all the outbound traffic, but have an inbound allow rule for port 80 from some service, then this inbound rule will not take effect until it is configured at a priority higher than the ‘Deny’ rule when comparing to the corresponding inbound and outbound rules configured based on priority.
b) The default rules in a Network Security Group allow for outbound access and inbound access is denied by default. Access within the VNet is allowed by default.
c) Like normal ACLs, the rules are processed based on a priority.
d) NSGs can only be used in the Azure region that it was created in.
e) There is a soft limit of 100 NSGs per subscription and a soft limit of 200 rules per NSG.
As a result, though the NSGs are stateful, but their effective functionality depends on the priority of the rules set in the Inbound/Outbound rules allow/deny list. The higher priority, the more effective that rule will be, the lesser priority, the lesser probability of it getting effective as it will be overrided by the higher priority rules.
Kindly refer the below link for more details on the above: -
https://theithollow.com/2016/08/03/azure-network-security-groups/
Yes, Azure NSGs are stateful and work similarly.
If you specify an outbound security rule to any address over port 80,
for example, it's not necessary to specify an inbound security rule
for the response to the outbound traffic. You only need to specify an
inbound security rule if communication is initiated externally. The
opposite is also true. If inbound traffic is allowed over a port, it's
not necessary to specify an outbound security rule to respond to
traffic over the port.
Network security groups - Security rules
Wanted to know the difference between security groups and internal prefix-list and to know which would be best for not allowing the external traffic to enter the cloud?
A Security Group is a firewall on an individual resource in an Amazon VPC.
For example, you could add a Security Group to an Amazon EC2 instance that only permits access on port 80 and 443 (HTTP and HTTPS). Any requests going to other ports would be blocked before reaching the instance. You could then add another rule that permits access to port 22 (SSH) but only from your IP address. You could connect, but requests from any other IP address would be blocked.
Rules can be configured for Inbound connections (going into the instance) and also for Outbound connections (requests leaving the instance). Requests are stateful, meaning that a request in one direction will always be permitted a response in the other direction. For example, if there is an Inbound rule permitting port 80, then the instance will be able to respond to an HTTP request without needing an Outbound rule that specifically permits the response.
Security Groups can also refer to each other. For example:
An Amazon EC2 instance running an application would have a Security Group permitting inbound HTTP and HTTPS connections, and all Outbound connections
An Amazon RDS database in the same VPC would have a Security Group permitting inbound database connections from the Security Group on the Amazon EC2 instance
That is, the database security group specifically refers to the instance security group. Any instance associated with the EC2 security group would be allowed to access the database.
When defining rules in a Security Group, you specify a CIDR that defines the IP address(es) that are permitted by the rule. For example, 0.0.0.0/0 means the entire Internet, while 1.2.3.0/24 means all IP addresses starting with 1.2.3.x.
Prefix Lists are simply a pre-defined list of CIDRs. They make it easier to define rules by permitting access from a specific Prefix List rather than having to define multiple rules with one CIDR per rule. So, prefix lists can be used by security group.
I want to secure my web server vm to limit mainly to 443 and 3389 ports strictly. I denied everything else both outbound and inbound in the NSG for the web vm. But I can't rdp after doing so. When I relax the NSG to allow all outbound, then rdp starts working. My question is what outbound ports and protocols the rdp service needs to be opened in nsg beside 3389?
thesushil: In my case it turns out, I just needed to add an outbound rule to allow Azure AD communication over http and https, because I have azure AD authentication enabled. But I think the answer below would be helpful to others.
Be default, the RDP server listens on TCP port 3389 and UDP port 3389. Read wiki. You also could change the listening port for remote desktop.
If you want to secure your Azure VM limit to 443 and 3389 ports, you can add inbound port rules like this to only allow your client-specific IP address to access your Azure VM.
Also, please note that If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port. Read https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules
Network security group security rules are evaluated by priority using
the 5-tuple information (source, source port, destination, destination
port, and protocol) to allow or deny the traffic. A flow record is
created for existing connections. Communication is allowed or denied
based on the connection state of the flow record. The flow record
allows a network security group to be stateful. If you specify an
outbound security rule to any address over port 80, for example, it's
not necessary to specify an inbound security rule for the response to
the outbound traffic. You only need to specify an inbound security
rule if communication is initiated externally. The opposite is also
true. If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port.
Existing connections may not be interrupted when you remove a security
rule that enabled the flow. Traffic flows are interrupted when
connections are stopped and no traffic is flowing in either direction,
for at least a few minutes.
Hope it helps.
I want to provide failover proof url for my service endpoint to users using traffic management. I have a service instance running at http://vm1.cloudapp.net/myservice:8888/index.html. If this instance goes down then the service auto starts on vm2 at http://vm2.cloudapp.net/myservice:8888/index.html n vice versa.
I want azure to hide the underlying service urls to user and expose the service at http://myservice.trafficmanager.net
Is this possible? If so, how ? From reading the documentation of traffic manager service, it looks like you can failover only at DNS level and not at url endpoint level
There are several parts to this.
Firstly, you are right that Traffic Manager works at the DNS level. It doesn't see your HTTP traffic and hence doesn't see the full URL. Since your two services instances have different DNS names, there's no issue here--you configure Traffic Manager with both names as separate 'endpoints', and Traffic Manager will direct traffic to those endpoints by providing one or other in each DNS response.
Secondly, you want to hide the URL paths. Since Traffic Manager works at the DNS level, it doesn't see your HTTP traffic and hence doesn't see the URL, only the domain name. Therefore this is something you have to handle at the application level (just as you would for a single-instance service that doesn't use Traffic Manager).
The only thing to be careful of is to make sure you configure the correct URL port and path in the Traffic Manager endpoint monitoring configuration. Just make sure that Traffic Manager shows your endpoints as 'Online', and you're good.
Jonathan
I understand that Web Apps are restricted to ports 80/443 for inbound requests, however what about outbound? For example if I were to deploy an application that made a call to some third part service on a random port, e.g. 8085, would it be allowed? If so, is there a way to restrict the ip addresses and/or ports that outbound requests can be made on?
Mark
On Azure Web Apps, the restriction is only for inbound requests. There is no restriction on Outbound IP addresses and ports.
Out of the box, Azure Web Apps will only allow you to put restrictions on incoming requests using DIPR http://azure.microsoft.com/blog/2013/12/09/ip-and-domain-restrictions-for-windows-azure-web-sites/. There is no mechanism to restrict Outbound.