home

Supported platforms

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Configuring a network security group for a subnet

Implementing NSGs for an entire subnet might be necessary.

A previous example shows how to configure a route table so that all traffic from App-Subnet to DB-Subnet passes through a router. The following example shows how to use an NSG so that traffic from anywhere other than App-Subnet cannot enter DB-Subnet. Only VMs in App-Subnet are able to reach DB-Subnet, and their traffic passes through a router for firewall and monitoring.

First, create a network security group by using the azure network nsg create <resource-group> <name> <location> command as follows:

$ azure network nsg create vRouter DB-Subnet-NSG westus info:	Executing command network 
nsg create
+ Looking up the network security group "DB-Subnet-NSG"
+ Creating a network security group "DB-Subnet-NSG" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG
data:	Name	: DB-Subnet-NSG data:	Type	: Microsoft.Network/networkSecurityGroups
data:	Location	: westus data:	Provisioning state	: Succeeded data:	Security rules:
data:	Name			Source IP		Source Port Destination IP	Destination Port	Protocol	Direction	Access	
Priority data:	-----------------------------	-----------------	-----------
--------------	----------------	--------	---------	------	-------- data:	AllowVnetInBound		
VirtualNetwork		* VirtualNetwork	*	*		Inbound	Allow	65000
data:	AllowAzureLoadBalancerInBound	AzureLoadBalancer	*	*
*	*	Inbound	Allow	65001
data:	DenyAllInBound	*	*	*
*	*	Inbound	Deny	65500
data:	AllowVnetOutBound		VirtualNetwork		* VirtualNetwork	*	*		Outbound	Allow	65000
data:	AllowInternetOutBound		*		*		
Internet	*	*		Outbound	Allow	65001	
data:	DenyAllOutBound		*		*		*
*	*	Outbound	Deny	65500			
info:	network nsg create	command OK

Next, create an NSG rule to allow traffic to pass from the App-Subnet to the DB-Subnet by using the azure network nsg rule create <resource-group> <nsg-name> <name> command as follows.

$ azure network nsg rule create --protocol "*" --source-address-prefix "10.0.3.0/24" 
--source-port-range "*" --destination-address-prefix "10.0.2.0/24" --destination-port-range "*" 
--access Allow --priority 200
--direction Inbound vRouter DB-Subnet-NSG AllowAppInbound info:	Executing command network nsg 
rule create
+ Looking up the network security group "DB-Subnet-NSG"

+ Looking up the network security rule "AllowAppInbound"
+ Creating a network security rule "AllowAppInbound" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG/security
Rules/AllowAppInbound
data:	Name	: AllowAppInbound data:	Type	: Microsoft.Network/networkSecurityGroups/securityRules
data:	Provisioning state	: Succeeded data:	Source IP	: 10.0.3.0/24 data:	Source Port	: *
data:	Destination IP	: 10.0.2.0/24 data:	Destination Port	: *
data:	Protocol	: *
data:	Direction	: Inbound data:	Access	: Allow data:	Priority	: 200 info:	network nsg rule 
create command OK

There is a default inbound rule to allow all traffic within the virtual network. The rule is overridden with a higher-priority rule.

$ azure network nsg rule create --protocol "*" --source-address-prefix VirtualNetwork 
--source-port-range "*" --destination-address-prefix VirtualNetwork --destination-port-range "*" 
--access Deny --priority 4096
--direction Inbound vRouter DB-Subnet-NSG DenyVnetInbound info:	Executing command network nsg 
rule create
+ Looking up the network security group "DB-Subnet-NSG"

+ Looking up the network security rule "DenyVnetInbound"
+ Creating a network security rule "DenyVnetInbound" data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG/security
Rules/DenyVnetInbound
data:	Name	: DenyVnetInbound data:	Type	: Microsoft.Network/networkSecurityGroups/securityRules
data:	Provisioning state	: Succeeded
data:	Source IP	: VirtualNetwork data:	Source Port	: *
data:	Destination IP	: VirtualNetwork data:	Destination Port	: *
data:	Protocol	: *
data:	Direction	: Inbound data:	Access	: Deny data:	Priority	: 4096 info:	network nsg rule 
create command OK

Finally, associate the NSG with the subnet. Confirm that you have added all the rules you require before doing this, as any traffic not permitted by a rule is dropped. When the NSG is ready, associate it with the NIC using the --network-security-group-name option of the azure network vnet subnet set <resource-group> <vnet-name> <name> command as follows.

$ azure network vnet subnet set --network-security-group-name DB-Subnet-NSG
vRouter Net DB-Subnet
info:	Executing command network vnet subnet set
+ Looking up the virtual network "Net"

+ Looking up the subnet "DB-Subnet"

+ Looking up the network security group "DB-Subnet-NSG"

+ Updating subnet "DB-Subnet"

data:	Id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/virtualNetworks/Net/subnets/DB-Subnet
data:	Name	: DB-Subnet data:	Provisioning state	: Succeeded data:	
Address prefix	: 10.0.2.0/24 data:	Network Security Group id	:
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute r/providers/
Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG
info:	network vnet subnet set command OK
If you find that you are having network issues and suspect that NSGs could be to blame, check which NSG is associated with a subnet.
$ azure network vnet subnet show vRouter Net DB-Subnet
info: Executing command network vnet subnet show
+ Looking up the virtual network "Net"
+ Looking up the subnet "DB-Subnet"
data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/virtualNetworks/Net/subnets/DB-Subnet
data: Name : DB-Subnet
data: Provisioning state : Succeeded
data: Address prefix : 10.0.2.0/24
data: Network Security Group id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG
info: network vnet subnet show command OK
Then check the rules in the NSG.
$ azure network nsg show vRouter DB-Subnet-NSG
info: Executing command network nsg show
+ Looking up the network security group "DB-Subnet-NSG"
data: Id :
/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/vRoute
r/providers/Microsoft.Network/networkSecurityGroups/DB-Subnet-NSG
data: Name : DB-Subnet-NSG
data: Type :
Microsoft.Network/networkSecurityGroups
data: Location : westus
data: Provisioning state : Succeeded
data: Security rules:
data: Name Source IP Source Port
Destination IP Destination Port Protocol Direction Access Priority
data: ----------------------------- ----------------- -----------
-------------- ---------------- -------- --------- ------ --------
data: AllowAppInbound 10.0.3.0/24 *
10.0.2.0/24 * * Inbound Allow 200
data: DenyVnetInbound VirtualNetwork *
VirtualNetwork * * Inbound Deny 4096
data: AllowVnetInBound VirtualNetwork *
VirtualNetwork * * Inbound Allow 65000
data: AllowAzureLoadBalancerInBound AzureLoadBalancer * *
* * Inbound Allow 65001
data: DenyAllInBound * * *
* * Inbound Deny 65500
data: AllowVnetOutBound VirtualNetwork *
VirtualNetwork * * Outbound Allow 65000
data: AllowInternetOutBound * *
Internet * * Outbound Allow 65001
data: DenyAllOutBound * * *
* * Outbound Deny 65500
info: network nsg show command OK

To disassociate an NSG from a subnet, use the Azure Portal.