Cloud Vendor | Microsoft Azure |
Proficiency Level | Cloud Enthusiast |
Tags | Application GatewayLoad BalancerNetwork Security Group (NSG)SubnetsVirtual MachineVirtual NetworkWeb Server |
Summary
In this lab, you will configure Network Security Groups (NSG) in Microsoft Azure to protect the backend pool Virtual Machines from direct HTTP access. You will only allow HTTP access to the backend virtual machines from the Virtual Network. Also, you will restrict the SSH access to the backend pool VMs to your IP address, thus preventing anybody else accessing the VMs via SSH.
Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.
Learning Objectives
After completion of this lab, you will be able to:
- Create a Network Security Group (NSG) in Azure
- Configure the NSG to accept HTTP traffic from the Virtual Network only
- Configure the NSG to accept SSH traffic from your IP address only
- Test the NSG configuration
Prerequisites
To complete this lab, you will need the following:
- Reliable internet connection
- A work, school or personal Microsoft Account used to access Microsoft Azure Management Portal
- A subscription for Microsoft Azure
- You will need to complete the Configuring HTTPS on Azure Application Gateway lab
- Follow the steps to determine the public IP address your local machine uses
- Follow the steps to determine the public IP address of the Application Gateway
- Follow the steps to determine the public IP addresses for your backend pool virtual machines
Determine the Public IP Address Your Local Machine Uses
Here is how you can determine the public IP address your local machine uses. This IP address cannot be used to access your local machine from the Internet, but it is the IP address that requests to services come from:
- Go to https://www.google.com
- Type
what is my ip address
in the search box - Google will return the public IP address your local machine uses. Note this IP address, you will need it for the exercises
Determine the Public IP Address of the Azure Application Gateway
Here is how you can determine the IP address of the Application Gateway.
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Find the
networkinglab01-rg
and click on it - Find the
networkinglab01-ag
Application Gateway resource in the list and click on it - In the Overview blade, note the Frontend public IP address of the Application Gateway
Determine the Public IP Addresses of the Backend Pool Virtual Machines
Here is how you can determine the IP address of the Application Gateway.
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Find the
networkinglab01-rg
and click on it - Find the
computelab01-vm01
Virtual Machine resource in the list and click on it - In the Overview blade note the Public IP address of the Virtual Machine
- Repeat steps 4 and 5 for
computelab01-vm01
Virtual Machine resource
Exercise #1: Create a Network Security Group (NSG) in Azure
In this exercise, you will create a Network Security Group (NSG) in Azure and configure it to accept HTTP traffic from the VNet only and SSH traffic from your IP address only.
Steps
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Find the
networkinglab01-rg
and click on it - Click on the
button on the top of the Resource Group blade
- In the search box search for Network security group
- Click on the
button
- On the Create network security group blade, on the Basics tab, in the Project details section, fill in the following information:
Resource group →networkinglab01-rg
- In the Instance details section, fill in the following information:
Name →networkinglab01-nsg
Region →(US) West US 2
- Click on the
button
- On the Tags tab, add the following tags:
Role →web
Lab →networkinglab01
Owner →<your name>
OwnerEmail →<your email>
- Click on the
button
- Review the summary and click on the
button
- Wait until the deployment is completed
- Once the deployment is completed, click on
in the left-hand menu list
- Find the
networkinglab01-rg
resource group in the list and click on it - Milestone step: At this point, you have learned how to create a Network Security Group (NSG) in the Microsoft Azure cloud. Verify that you have the following resources in your
networkinglab01-rg
resource group:
networkinglab01-nsg
Network security group
- Click on the
networkinglab01-nsg
Network security group resource - Click on the
button in the Network security group blade
- Click on the
button on top of the Inbound security rules blade
- In the Add security rule blade, fill in the following information in the form:
Source:IP Addresses
Source IP addresses/CIDR ranges:[your_machine_ip_address]/32
Source port ranges:*
Destination:Any
Destination port ranges:22
Protocol:TCP
Action:Allow
Priority:100
Name:SSH_Access
- Click on the
button
- Wait until deployment is finished
- Milestone step: At this point, you have learned how to add Allow rules to a Network Security Group (NSG) in the Microsoft Azure cloud.
- Make sure the following rules are available in the list of Inbound security rules:
Exercise #2: Configure the Backend Pool VMs to use the Network Security Group (NSG)
In this exercise, you will configure the Application Gateway’s backend pool VMs to use the new Network Security Group.
Steps
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Find the
networkinglab01-rg
and click on it - Find the
computelab01-vm01
Virtual Machine resource in the list and click on it - Click on the
button in the Virtual machine blade
- Click on the Network interface link to go the network interface attached to the VM
- Click on the
button in the Network interface blade
- Click on the
button on top of the NSG blade
- Click on the NSG row
- Select the
networkinglab01-nsg
Network security group resource - Click on the
button on top of the NSG blade
- Milestone step: At this point, you have learned how to change the Network Security Group (NSG) for a Virtual Machine in the Microsoft Azure cloud.
- Repeat steps 5 through 11 for
computelab01-vm02
Virtual Machine resource
Exercise #3: Testing the Network Security Group (NSG) Rules for Web Traffic
In this exercise, you will test the web traffic rules you created in the Network Security Group.
Steps
- Open a new browser window and type the following in the address bar:
https://[the_application_gateway_ip_address]
- You should see the home page served by the webserver installed on
computelab01-vm01
Virtual Machine - Refresh the page
- You should see the home page served by the webserver installed on
computelab01-vm02
Virtual Machine - Milestone step: At this point, you have verified that the backend pool can serve requests via HTTPS through the Application Gateway
- Open a new browser tab and paste the
computelab01-vm01
Virtual Machine IP address in the address bar - After some time, you should receive an error message or the page will time out
- Milestone step: At this point, you have verified that the
computelab01-vm01
Virtual Machine is not directly accessible via HTTP - Open a new browser tab and paste the
computelab01-vm02
Virtual Machine IP address in the address bar - After some time, you should receive an error message or the page will time out
- Milestone step: At this point, you have verified that the
computelab01-vm02
Virtual Machine is not directly accessible via HTTP
Exercise #4: Testing the Network Security Group (NSG) Rules for SSH Traffic
In this exercise, you will test the remote access rules you created in the Network Security Group using an SSH client. Make sure, you execute the steps from the location you configured in the NSG.
Steps
- Open a Terminal (Mac OS/Linux) or Command Prompt (Windows) window
- Type the following command
ssh [computelab01_vm01_username]@[computelab01_vm01_ip_address]
- Type in the
[computelab01_vm01_username]
password - You should connect to the
computelab01-vm01
Virtual Machine - Milestone step: At this point, you have verified that you have remote access to the
computelab01-vm01
Virtual Machine using SSH - Type
exit
- Type the following command
ssh [computelab01_vm02_username]@[computelab01_vm02_ip_address]
- Type in the
[computelab01_vm02_username]
password - You should connect to the
computelab01-vm02
Virtual Machine - Milestone step: At this point, you have verified that you have remote access to the
computelab01-vm02
Virtual Machine using SSH
Last Update: October 23, 2019