Restricting Access to Backend Pool VMs in Azure using NSGs

Summary

In this lab, you will configure Network Security Groups (NSG) in Microsoft Azure to protect the backend pool Virtual Machines from direct HTTP access. You will only allow HTTP access to the backend virtual machines from the Virtual Network. Also, you will restrict the SSH access to the backend pool VMs to your IP address, thus preventing anybody else accessing the VMs via SSH.

Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.

Learning Objectives

After completion of this lab, you will be able to:

Prerequisites

To complete this lab, you will need the following:

Determine the Public IP Address Your Local Machine Uses

Here is how you can determine the public IP address your local machine uses. This IP address cannot be used to access your local machine from the Internet, but it is the IP address that requests to services come from:

1. Go to https://www.google.com
2. Type what is my ip address in the search box
3. Google will return the public IP address your local machine uses. Note this IP address, you will need it for the exercises

Determine the Public IP Address of the Azure Application Gateway

Here is how you can determine the IP address of the Application Gateway.

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Find the networkinglab01-rg and click on it
4. Find the networkinglab01-ag Application Gateway resource in the list and click on it
5. In the Overview blade, note the Frontend public IP address of the Application Gateway

Determine the Public IP Addresses of the Backend Pool Virtual Machines

Here is how you can determine the IP address of the Application Gateway.

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Find the networkinglab01-rg and click on it
4. Find the computelab01-vm01 Virtual Machine resource in the list and click on it
5. In the Overview blade note the Public IP address of the Virtual Machine
6. Repeat steps 4 and 5 for computelab01-vm01 Virtual Machine resource

Exercise #1: Create a Network Security Group (NSG) in Azure

In this exercise, you will create a Network Security Group (NSG) in Azure and configure it to accept HTTP traffic from the VNet only and SSH traffic from your IP address only.

Steps

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Find the networkinglab01-rg and click on it
4. Click on the button on the top of the Resource Group blade
5. In the search box search for Network security group
   
6. Click on the button
7. On the Create network security group blade, on the Basics tab, in the Project details section, fill in the following information:
   Resource group → networkinglab01-rg
8. In the Instance details section, fill in the following information:
   Name → networkinglab01-nsg
   Region → (US) West US 2
9. Click on the button
10. On the Tags tab, add the following tags:
    Role → web
    Lab → networkinglab01
    Owner → <your name>
    OwnerEmail → <your email>
11. Click on the button
12. Review the summary and click on the button
13. Wait until the deployment is completed
14. Once the deployment is completed, click on in the left-hand menu list
15. FindTipYou can use the search box on top of the screen to find the resource group the networkinglab01-rg resource group in the list and click on it
16.  Milestone step:  At this point, you have learned how to create a Network Security Group (NSG) in the Microsoft Azure cloud. Verify that you have the following resources in your networkinglab01-rg resource group:
    networkinglab01-nsg Network security group
    
17. Click on the networkinglab01-nsg Network security group resource
18. Click on the button in the Network security group blade
19. Click on the button on top of the Inbound security rules blade
20. In the Add security rule blade, fill in the following information in the form:
    Source: IP Addresses
    Source IP addresses/CIDR ranges: [your_machine_ip_address]/32
    Source port ranges: *
    Destination: Any
    Destination port ranges: 22
    Protocol: TCP
    Action: Allow
    Priority: 100
    Name: SSH_Access
21. Click on the button
22. Wait until deployment is finished
23.  Milestone step:  At this point, you have learned how to add Allow rules to a Network Security Group (NSG) in the Microsoft Azure cloud.
24. Make sure the following rules are available in the list of Inbound security rules:
    

Exercise #2: Configure the Backend Pool VMs to use the Network Security Group (NSG)

In this exercise, you will configure the Application Gateway’s backend pool VMs to use the new Network Security Group.

Steps

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Find the networkinglab01-rg and click on it
4. Find the computelab01-vm01 Virtual Machine resource in the list and click on it
5. Click on the button in the Virtual machine blade
6. Click on the Network interface link to go the network interface attached to the VM
7. Click on the button in the Network interface blade
8. Click on the button on top of the NSG blade
9. Click on the NSG row
10. Select the networkinglab01-nsg Network security group resource
11. Click on the button on top of the NSG blade
12.  Milestone step:  At this point, you have learned how to change the Network Security Group (NSG) for a Virtual Machine in the Microsoft Azure cloud.
13. Repeat steps 5 through 11 for computelab01-vm02 Virtual Machine resource

Exercise #3: Testing the Network Security Group (NSG) Rules for Web Traffic

In this exercise, you will test the web traffic rules you created in the Network Security Group.

Steps

1. Open a new browser window and type the following in the address bar:
   https://[the_application_gateway_ip_address]
2. You should see the home page served by the webserver installed on computelab01-vm01 Virtual Machine
3. Refresh the page
4. You should see the home page served by the webserver installed on computelab01-vm02 Virtual Machine
5.  Milestone step:  At this point, you have verified that the backend pool can serve requests via HTTPS through the Application Gateway
   
6. Open a new browser tab and paste the computelab01-vm01 Virtual Machine IP address in the address bar
7. After some time, you should receive an error message or the page will time out
8.  Milestone step:  At this point, you have verified that the computelab01-vm01 Virtual Machine is not directly accessible via HTTP
9. Open a new browser tab and paste the computelab01-vm02 Virtual Machine IP address in the address bar
10. After some time, you should receive an error message or the page will time out
11.  Milestone step:  At this point, you have verified that the computelab01-vm02 Virtual Machine is not directly accessible via HTTP

Exercise #4: Testing the Network Security Group (NSG) Rules for SSH Traffic

In this exercise, you will test the remote access rules you created in the Network Security Group using an SSH client. Make sure, you execute the steps from the location you configured in the NSG.

Steps

1. Open a Terminal (Mac OS/Linux) or Command Prompt (Windows) window
2. Type the following command
   ssh [computelab01_vm01_username]@[computelab01_vm01_ip_address]
3. Type in the [computelab01_vm01_username] password
4. You should connect to the computelab01-vm01 Virtual Machine
5.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-vm01 Virtual Machine using SSH
6. Type exit
7. Type the following command
   ssh [computelab01_vm02_username]@[computelab01_vm02_ip_address]
8. Type in the [computelab01_vm02_username] password
9. You should connect to the computelab01-vm02 Virtual Machine
10.  Milestone step:  At this point, you have verified that you have remote access to the computelab01-vm02 Virtual Machine using SSH