Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Configuring a network security group for a NIC

If you are expecting Vyatta NOS to handle traffic only on certain ports, then attaching an NSG to the router NIC can be useful for security and reduce the risk of a denial of service attack being successful.

The following example shows how to configure an NSG that allows access to an OpenVPN server and to SSH for management and how to attach the NSG to the NIC of the router.

First, create a network security group by using the azure network nsg create <resource-group> <name> <location> command as follows.

$ azure network nsg create vRouter OVPN-NSG westus info:	Executing command network nsg create
+ Looking up the network security group "OVPN-NSG"
+ Creating a network security group "OVPN-NSG" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG
data:	Name	: OVPN-NSG data:	Type	: Microsoft.Network/networkSecurityGroups
data:	Location	: westus data:	Provisioning state	: Succeeded data:	Security rules:
data:	Name			Source IP		Source Port Destination IP	Destination Port	Protocol	Direction	Access	Priority data:	-----------------------------	-----------------	-----------
--------------	----------------	--------	---------	------	-------- data:	AllowVnetInBound		VirtualNetwork		* VirtualNetwork	*	*		Inbound	Allow	65000
data:	AllowAzureLoadBalancerInBound	AzureLoadBalancer	*	*
*	*	Inbound	Allow	65001
data:	DenyAllInBound	*	*	*
*	*	Inbound	Deny	65500
data:	AllowVnetOutBound		VirtualNetwork		* VirtualNetwork	*	*		Outbound	Allow	65000
data:	AllowInternetOutBound		*		*		
Internet	*	*		Outbound	Allow	65001	
data:	DenyAllOutBound		*		*		*
*	*	Outbound	Deny	65500			
info:	network nsg create	command OK

Next, add any rules for the NSG by using the azure network nsg rule create <resource-group> <nsg-name> <name> command to add rules to allow SSH and OpenVPN inbound.

$ azure network nsg rule create --protocol Tcp --source-address-prefix "*"
--source-port-range "*" --destination-address-prefix "*"
--destination-port-range 22 --access Allow --priority 200 --direction
Inbound vRouter OVPN-NSG AllowSSHInbound
info:	Executing command network nsg rule create
+ Looking up the network security group "OVPN-NSG"

+ Looking up the network security rule "AllowSSHInbound"

+ Creating a network security rule "AllowSSHInbound"
 
data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG/securityRules
/AllowSSHInbound
data:	Name	: AllowSSHInbound data:	Type	: Microsoft.Network/networkSecurityGroups/securityRules
data:	Provisioning state	: Succeeded data:	Source IP	: *
data:	Source Port	: * data:	Destination IP	: * data:	Destination Port	: 22 data:	Protocol	: Tcp
data:	Direction	: Inbound data:	Access	: Allow data:	Priority	: 200 info:	network nsg rule create command OK

$ azure network nsg rule create --protocol Udp --source-address-prefix "*"
--source-port-range "*" --destination-address-prefix "*"
--destination-port-range 1194 --access Allow --priority 300 --direction
Inbound vRouter OVPN-NSG AllowOVpnInbound
info:	Executing command network nsg rule create
+ Looking up the network security group "OVPN-NSG"

+ Looking up the network security rule "AllowOVpnInbound"
+ Creating a network security rule "AllowOVpnInbound" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG/securityRules
/AllowOVpnInbound
data:	Name	: AllowOVpnInbound data:	Type	: Microsoft.Network/networkSecurityGroups/securityRules
data:	Provisioning state	: Succeeded data:	Source IP	: *
data:	Source Port	: * data:	Destination IP	: * data:	Destination Port	: 1194 data:	Protocol	: Udp
data:	Direction	: Inbound
 
data:	Access	: Allow
data:	Priority	: 300
info:	network nsg rule create command OK

Finally, associate the NSG with the Vyatta NOS NIC, verifying that you have added all the rules you require beforehand, as any traffic not permitted by a rule is dropped. When the NSG is ready, associate it with the NIC by using the --network-security-group-name option of the azure network nic set <resource-group> <name> command as follows.

$ azure network nic set --network-security-group-name OVPN-NSG vRouter vRouter1-Frontend-NIC
info:	Executing command network nic set
+ Looking up the network interface "vRouter1-Frontend-NIC"

+ Looking up the network security group "OVPN-NSG"
+ Updating network interface "vRouter1-Frontend-NIC" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkInterfaces/vRouter1-Frontend-NIC
data:	Name	: vRouter1-Frontend-NIC data:	Type	: Microsoft.Network/networkInterfaces
data:	Location	: westus data:	Provisioning state	: Succeeded
data:	MAC address	: 00-0D-3A-34-8F-DF data:	Internal domain name 
suffix	: wlsosiwaajyerbkjndrs4x1gzc.dx.internal.cloudapp.net
data:	Enable IP forwarding	: true data:	Network security group	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkSecurityGroups/OVPN-NSG
data:	IP configurations:
data:	Name	: default-ip-config data:	Provisioning state	: Succeeded
data:	Private IP address	: 10.0.0.4 data:	Private IP version	: IPv4 data:	Private IP allocation 
method	: Static data:	Public IP address	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/publicIPAddresses/vRouter1-IP
data:	Subnet	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/virtualNetworks/Net/subnets/Frontend-Subnet data:
info:	network nic set command OK