Loading....
Lab
Cloud Vendor Microsoft Azure
Proficiency Level Cloud Enthusiast
Tags Application GatewayLoad BalancerNetwork Security Group (NSG)SubnetsVirtual MachineVirtual NetworkWeb Server

Summary

In this lab, you will configure Network Security Groups (NSG) in Microsoft Azure to protect the backend pool Virtual Machines from direct HTTP access. You will only allow HTTP access to the backend virtual machines from the Virtual Network. Also, you will restrict the SSH access to the backend pool VMs to your IP address, thus preventing anybody else accessing the VMs via SSH.

Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.

Learning Objectives

After completion of this lab, you will be able to:

  • Create a Network Security Group (NSG) in Azure
  • Configure the NSG to accept HTTP traffic from the Virtual Network only
  • Configure the NSG to accept SSH traffic from your IP address only
  • Test the NSG configuration

Prerequisites

To complete this lab, you will need the following:

Determine the Public IP Address Your Local Machine Uses

Here is how you can determine the public IP address your local machine uses. This IP address cannot be used to access your local machine from the Internet, but it is the IP address that requests to services come from:

  1. Go to https://www.google.com
  2. Type what is my ip address in the search box
  3. Google will return the public IP address your local machine uses. Note this IP address, you will need it for the exercises

Determine the Public IP Address of the Azure Application Gateway

Here is how you can determine the IP address of the Application Gateway.

  1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
  2. Click on the button in the left-hand navigation
  3. Find the networkinglab01-rg and click on it
  4. Find the networkinglab01-ag Application Gateway resource in the list and click on it
  5. In the Overview blade, note the Frontend public IP address of the Application Gateway

Determine the Public IP Addresses of the Backend Pool Virtual Machines

Here is how you can determine the IP address of the Application Gateway.

  1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
  2. Click on the button in the left-hand navigation
  3. Find the networkinglab01-rg and click on it
  4. Find the computelab01-vm01 Virtual Machine resource in the list and click on it
  5. In the Overview blade note the Public IP address of the Virtual Machine
  6. Repeat steps 4 and 5 for computelab01-vm01 Virtual Machine resource

Exercise #1: Create a Network Security Group (NSG) in Azure

In this exercise, you will create a Network Security Group (NSG) in Azure and configure it to accept HTTP traffic from the VNet only and SSH traffic from your IP address only.

Steps

  1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
  2. Click on the button in the left-hand navigation
  3. Find the networkinglab01-rg and click on it
  4. Click on the button on the top of the Resource Group blade
  5. In the search box search for Network security group
  6. Click on the button
  7. On the Create network security group blade, on the Basics tab, in the Project details section, fill in the following information:
    Resource groupnetworkinglab01-rg
  8. In the Instance details section, fill in the following information:
    Namenetworkinglab01-nsg
    Region
    (US) West US 2
  9. Click on the button
  10. On the Tags tab, add the following tags:
    Roleweb
    Labnetworkinglab01
    Owner<your name>
    OwnerEmail<your email>
  11. Click on the button
  12. Review the summary and click on the button
  13. Wait until the deployment is completed
  14. Once the deployment is completed, click on in the left-hand menu list
  15. Find the networkinglab01-rg resource group in the list and click on it
  16.  Milestone step:  At this point, you have learned how to create a Network Security Group (NSG) in the Microsoft Azure cloud. Verify that you have the following resources in your networkinglab01-rg resource group:
    networkinglab01-nsg Network security group
  17. Click on the networkinglab01-nsg Network security group resource
  18. Click on the button in the Network security group blade
  19. Click on the button on top of the Inbound security rules blade
  20. In the Add security rule blade, fill in the following information in the form:
    Source: IP Addresses
    Source IP addresses/CIDR ranges:
    [your_machine_ip_address]/32
    Source port ranges: *
    Destination: Any
    Destination port ranges: 22
    Protocol: TCP
    Action:
    Allow
    Priority: 100
    Name: SSH_Access
  21. Click on the button
  22. Wait until deployment is finished
  23.  Milestone step:  At this point, you have learned how to add Allow rules to a Network Security Group (NSG) in the Microsoft Azure cloud.
  24. Make sure the following rules are available in the list of Inbound security rules:

Exercise #2: Configure the Backend Pool VMs to use the Network Security Group (NSG)

In this exercise, you will configure the Application Gateway’s backend pool VMs to use the new Network Security Group.

Steps

  1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
  2. Click on the button in the left-hand navigation
  3. Find the networkinglab01-rg and click on it
  4. Find the computelab01-vm01 Virtual Machine resource in the list and click on it
  5. Click on the button in the Virtual machine blade
  6. Click on the Network interface link to go the network interface attached to the VM
  7. Click on the button in the Network interface blade
  8. Click on the button on top of the NSG blade
  9. Click on the NSG row
  10. Select the networkinglab01-nsg Network security group resource
  11. Click on the button on top of the NSG blade
  12.  Milestone step:  At this point, you have learned how to change the Network Security Group (NSG) for a Virtual Machine in the Microsoft Azure cloud.
  13. Repeat steps 5 through 11 for computelab01-vm02 Virtual Machine resource

Exercise #3: Testing the Network Security Group (NSG) Rules for Web Traffic

In this exercise, you will test the web traffic rules you created in the Network Security Group.

Steps

  1. Open a new browser window and type the following in the address bar:
    https://[the_application_gateway_ip_address]
  2. You should see the home page served by the webserver installed on computelab01-vm01 Virtual Machine
  3. Refresh the page
  4. You should see the home page served by the webserver installed on computelab01-vm02 Virtual Machine
  5.  Milestone step:  At this point, you have verified that the backend pool can serve requests via HTTPS through the Application Gateway
  6. Open a new browser tab and paste the computelab01-vm01 Virtual Machine IP address in the address bar
  7. After some time, you should receive an error message or the page will time out
  8.  Milestone step:  At this point, you have verified that the computelab01-vm01 Virtual Machine is not directly accessible via HTTP
  9. Open a new browser tab and paste the computelab01-vm02 Virtual Machine IP address in the address bar
  10. After some time, you should receive an error message or the page will time out
  11.  Milestone step:  At this point, you have verified that the computelab01-vm02 Virtual Machine is not directly accessible via HTTP

Exercise #4: Testing the Network Security Group (NSG) Rules for SSH Traffic

In this exercise, you will test the remote access rules you created in the Network Security Group using an SSH client. Make sure, you execute the steps from the location you configured in the NSG.

Steps

  1. Open a Terminal (Mac OS/Linux) or Command Prompt (Windows) window
  2. Type the following command
    ssh [computelab01_vm01_username]@[computelab01_vm01_ip_address]
  3. Type in the [computelab01_vm01_username] password
  4. You should connect to the computelab01-vm01 Virtual Machine
  5.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-vm01 Virtual Machine using SSH
  6. Type exit
  7. Type the following command
    ssh [computelab01_vm02_username]@[computelab01_vm02_ip_address]
  8. Type in the [computelab01_vm02_username] password
  9. You should connect to the computelab01-vm02 Virtual Machine
  10.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-vm02 Virtual Machine using SSH

Last Update: October 23, 2019  

October 23, 2019   183   Toddy Mladenov    Security And Compliance    
Total 0 Votes:
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

Back To Top