Configuring a network security group for a NIC
If you are expecting Vyatta NOS to handle traffic only on certain ports, then attaching an NSG to the router NIC can be useful for security and reduce the risk of a denial of service attack being successful.
The following example shows how to configure an NSG that allows access to an OpenVPN server and to SSH for management and how to attach the NSG to the NIC of the router.
First, create a network security group by using the azure network nsg create <resource-group> <name> <location> command as follows.
$ azure network nsg create vRouter OVPN-NSG westus info: Executing command network nsg create
+ Looking up the network security group "OVPN-NSG"
+ Creating a network security group "OVPN-NSG" data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG
data: Name : OVPN-NSG data: Type : Microsoft.Network/networkSecurityGroups
data: Location : westus data: Provisioning state : Succeeded data: Security rules:
data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority data: ----------------------------- ----------------- -----------
-------------- ---------------- -------- --------- ------ -------- data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000
data: AllowAzureLoadBalancerInBound AzureLoadBalancer * *
* * Inbound Allow 65001
data: DenyAllInBound * * *
* * Inbound Deny 65500
data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000
data: AllowInternetOutBound * *
Internet * * Outbound Allow 65001
data: DenyAllOutBound * * *
* * Outbound Deny 65500
info: network nsg create command OKNext, add any rules for the NSG by using the azure network nsg rule create <resource-group> <nsg-name> <name> command to add rules to allow SSH and OpenVPN inbound.
$ azure network nsg rule create --protocol Tcp --source-address-prefix "*"
--source-port-range "*" --destination-address-prefix "*"
--destination-port-range 22 --access Allow --priority 200 --direction
Inbound vRouter OVPN-NSG AllowSSHInbound
info: Executing command network nsg rule create
+ Looking up the network security group "OVPN-NSG"
+ Looking up the network security rule "AllowSSHInbound"
+ Creating a network security rule "AllowSSHInbound"
data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG/securityRules
/AllowSSHInbound
data: Name : AllowSSHInbound data: Type : Microsoft.Network/networkSecurityGroups/securityRules
data: Provisioning state : Succeeded data: Source IP : *
data: Source Port : * data: Destination IP : * data: Destination Port : 22 data: Protocol : Tcp
data: Direction : Inbound data: Access : Allow data: Priority : 200 info: network nsg rule create command OK
$ azure network nsg rule create --protocol Udp --source-address-prefix "*"
--source-port-range "*" --destination-address-prefix "*"
--destination-port-range 1194 --access Allow --priority 300 --direction
Inbound vRouter OVPN-NSG AllowOVpnInbound
info: Executing command network nsg rule create
+ Looking up the network security group "OVPN-NSG"
+ Looking up the network security rule "AllowOVpnInbound"
+ Creating a network security rule "AllowOVpnInbound" data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/Microsoft.Network/networkSecurityGroups/OVPN-NSG/securityRules
/AllowOVpnInbound
data: Name : AllowOVpnInbound data: Type : Microsoft.Network/networkSecurityGroups/securityRules
data: Provisioning state : Succeeded data: Source IP : *
data: Source Port : * data: Destination IP : * data: Destination Port : 1194 data: Protocol : Udp
data: Direction : Inbound
data: Access : Allow
data: Priority : 300
info: network nsg rule create command OKFinally, associate the NSG with the Vyatta NOS NIC, verifying that you have added all the rules you require beforehand, as any traffic not permitted by a rule is dropped. When the NSG is ready, associate it with the NIC by using the --network-security-group-name option of the azure network nic set <resource-group> <name> command as follows.
$ azure network nic set --network-security-group-name OVPN-NSG vRouter vRouter1-Frontend-NIC
info: Executing command network nic set
+ Looking up the network interface "vRouter1-Frontend-NIC"
+ Looking up the network security group "OVPN-NSG"
+ Updating network interface "vRouter1-Frontend-NIC" data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkInterfaces/vRouter1-Frontend-NIC
data: Name : vRouter1-Frontend-NIC data: Type : Microsoft.Network/networkInterfaces
data: Location : westus data: Provisioning state : Succeeded
data: MAC address : 00-0D-3A-34-8F-DF data: Internal domain name
suffix : wlsosiwaajyerbkjndrs4x1gzc.dx.internal.cloudapp.net
data: Enable IP forwarding : true data: Network security group :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkSecurityGroups/OVPN-NSG
data: IP configurations:
data: Name : default-ip-config data: Provisioning state : Succeeded
data: Private IP address : 10.0.0.4 data: Private IP version : IPv4 data: Private IP allocation
method : Static data: Public IP address :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/publicIPAddresses/vRouter1-IP
data: Subnet :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/virtualNetworks/Net/subnets/Frontend-Subnet data:
info: network nic set command OK