While text-based logs offer vital insights, Microsoft Azure takes it a step further by providing Log Analytics, a powerful tool that allows administrators to visualize NSG flow logs. By leveraging Log Analytics, administrators can gain a comprehensive understanding of network traffic patterns and potential security risks. However, it’s worth noting that Log Analytics has a slight drawback—the polling of logs from the Storage Account occurs every 10 minutes. Therefore, for instant log review, direct access to the storage account is necessary to obtain the most up-to-date information.

Enabling NSG Flow Logs in Log Analytics involves a two-step process. Firstly, you need to create a flow log and traffic analytics workspace. Detailed instructions for setting up flow logs for a single NSG can be found in this Microsoft documentation: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logging#create-a-flow-log-and-traffic-analytics-workspace. Additionally, if you want to deploy NSG flow logs across multiple NSGs using Azure Policy, refer to this guide: Manage NSG flow logs using Azure Policy – Azure Network Watcher | Microsoft Learn. These resources offer step-by-step instructions to configure NSG Flow Logs according to your specific requirements.

Once NSG Flow Logs are enabled and actively collecting data, accessing and analyzing the logs becomes crucial. To view the logs, navigate to the Log Analytics Workspace, where you’ll find a built-in query named “IPv4 NSF Flow Log Search.” This pre-configured query streamlines the log analysis process, allowing you to efficiently retrieve and examine relevant log data. By utilizing this query, you can filter and manipulate the logs to extract valuable insights on network traffic patterns, potential security incidents, or any other specific information of interest.

Examples

Let’s see some custom queries to narrow down the results based on the needs.

Search all traffic from a Public IP against a Network Security Group:

AzureNetworkAnalytics_CL
| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]
| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])
| extend NSGName=tostring(split(NSGList_s,'/',2)[0])
| where NSGName  == "labdc-nsg"
| where SrcPublicIPs_s contains "167.2XX.XX.XX"
| summarize count() by SourcePubIPs=SrcPublicIPs_s, SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s

Results:

Search for internal traffic between two VMs:

AzureNetworkAnalytics_CL
| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]
| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])
| extend NSGName=tostring(split(NSGList_s,'/',2)[0])
| where NSGName  == "labdc-nsg"
| where DestIP_s == "192.168.200.4" and SrcIP_s == "192.168.200.5"
| summarize count() by SourcePubIPs=SrcPublicIPs_s, SourceIP=SrcIP_s, DestinationIP=DestIP_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s

Results:

Search for traffic from internal IP to a public destination:

AzureNetworkAnalytics_CL
| extend NSGRuleAction=split(NSGRules_s,'|',3)[0]
| extend NSGRuleName=tostring(split(NSGRules_s,'|',1)[0])
| extend NSGName=tostring(split(NSGList_s,'/',2)[0])
| where NSGName  == "labdc-nsg"
| where SrcIP_s == "192.168.200.5"
| summarize count() by SourcePubIPs=SrcPublicIPs_s, SourceIP=SrcIP_s, DestPublicIPs=DestPublicIPs_s, DestinationPort=DestPort_d, TimeGenerated, NSGName, NSGRuleName, SourceSubnet=Subnet1_s, DestinationSubnet=Subnet2_s

Results:

In summary, Azure Network Security Groups serve as powerful access control devices for regulating network traffic within an Azure virtual network. The inclusion of NSG flow logs and Log Analytics enhances administrators’ visibility and understanding of network activity. By following the necessary steps to enable NSG Flow Logs and leveraging the Log Analytics Workspace, you can effectively monitor and analyze network traffic data, thereby improving the security and performance of your Azure resources.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post NSG Flow Logs review in Log Analytics appeared first on Apostolidis Cloud Corner.

This is a template that first creates a Resource Group, and then it deploys a Virtual Machine from an image version of the Shared Image Gallery. It provides the Public IP and Hostname for outputs. 

Currently it only asks for the SIG image version and an environment value to create the naming convention of the resources. 

GitHub: https://github.com/proximagr/ARMTemplates/blob/master/VM-from-SIG-in-new-RG/VM-from-SIG-in-new-RG.json

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "galleryimageversion": {
            "type": "string",
            "defaultValue": "10.0.2"
        },
        "envname": {
            "type": "string",
            "defaultValue": "test"
        }
    },
    "variables": {
        "basename": "[concat(parameters('envname'),substring(deployment().name,0,6))]",
        "rgname": "[concat('rg-', substring(variables('basename'), 0, 10))]",
        "region": "francecentral"
    },
    "resources": [
        {
            "name": "[variables('rgname')]",
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2019-10-01",
            "location": "[variables('region')]",
            "dependsOn": [
            ],
            "tags": {
            }
        },
        {
            "type": "Microsoft.Resources/deployments",
            "resourceGroup": "[variables('rgname')]",
            "dependsOn": [
                "[resourceId('Microsoft.Resources/resourceGroups',variables('rgname'))]"
            ],
            "apiVersion": "2019-10-01",
            "name": "nestedTemplate1",
            "properties": {
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "mode": "Incremental",
                "parameters": {
                    "galleryImageVersionName": {
                        "value": "[parameters('galleryimageversion')]"
                    },
                    "envname": {
                        "value": "[parameters('envname')]"
                    }

                },
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "galleryImageVersionName": {
                            "type": "string"
                        },
                        "envname": {
                            "type": "string"
                        }
                    },
                    "variables": {
                        "basename": "[concat(parameters('envname'),substring(deployment().name,0,6))]",
                        "pubipname": "[concat( 'pip-',variables('basename'))]",
                        "pubipdns": "[concat( 'vm-',variables('basename'))]",
                        "region": "francecentral",
                        "adminUsername": "uiadmin",
                        "adminPassword": "ThisIs1Password!",
                        "galleryName": "demosig",
                        "galleryImageDefinitionName": "demoid",
                        "nicName": "[concat( 'nic-',variables('basename'))]",
                        "addressPrefix": "10.0.0.0/24",
                        "subnetName": "[concat( 'sub-',variables('basename'))]",
                        "subnetPrefix": "10.0.0.0/24",
                        "vmName": "[concat( 'vm-',variables('basename'))]",
                        "virtualNetworkName": "[concat( 'vnet-',variables('basename'))]",
                        "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
                        "networkSecurityGroupName": "[concat( 'nsg-',variables('basename'))]"
                    },
                    "resources": [
                        {
                            "name": "[variables('pubipname')]",
                            "type": "Microsoft.Network/publicIPAddresses",
                            "apiVersion": "2019-11-01",
                            "location": "[variables('region')]",
                            "tags": {
                                "displayName": "publicIPAddress1"
                            },
                            "properties": {
                                "publicIPAllocationMethod": "Static",
                                "dnsSettings": {
                                    "domainNameLabel": "[variables('pubipdns')]"
                                }
                            }
                        },
                        {
                            "comments": "Simple Network Security Group for subnet [variables('subnetName')]",
                            "type": "Microsoft.Network/networkSecurityGroups",
                            "apiVersion": "2019-08-01",
                            "name": "[variables('networkSecurityGroupName')]",
                            "location": "[variables('region')]",
                            "properties": {
                                "securityRules": [
                                    {
                                        "name": "default-allow-22",
                                        "properties": {
                                            "priority": 1000,
                                            "access": "Allow",
                                            "direction": "Inbound",
                                            "destinationPortRange": "22",
                                            "protocol": "Tcp",
                                            "sourceAddressPrefix": "*",
                                            "sourcePortRange": "*",
                                            "destinationAddressPrefix": "*"
                                        }
                                    },
                                    {
                                        "name": "default-allow-3389",
                                        "properties": {
                                            "priority": 1001,
                                            "access": "Allow",
                                            "direction": "Inbound",
                                            "destinationPortRange": "3389",
                                            "protocol": "Tcp",
                                            "sourceAddressPrefix": "*",
                                            "sourcePortRange": "*",
                                            "destinationAddressPrefix": "*"
                                        }
                                    }
                                ]
                            }
                        },
                        {
                            "type": "Microsoft.Network/virtualNetworks",
                            "name": "[variables('virtualNetworkName')]",
                            "apiVersion": "2016-03-30",
                            "location": "[variables('region')]",
                            "dependsOn": [
                                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
                            ],
                            "properties": {
                                "addressSpace": {
                                    "addressPrefixes": [
                                        "[variables('addressPrefix')]"
                                    ]
                                },
                                "subnets": [
                                    {
                                        "name": "[variables('subnetName')]",
                                        "properties": {
                                            "addressPrefix": "[variables('subnetPrefix')]",
                                            "networkSecurityGroup": {
                                                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
                                            }
                                        }
                                    }
                                ]
                            }
                        },
                        {
                            "type": "Microsoft.Network/networkInterfaces",
                            "name": "[variables('nicName')]",
                            "apiVersion": "2016-03-30",
                            "location": "[variables('region')]",
                            "properties": {
                                "ipConfigurations": [
                                    {
                                        "name": "ipconfig1",
                                        "properties": {
                                            "privateIPAllocationMethod": "Dynamic",
                                            "publicIPAddress": {
                                                "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('pubipname'))]"
                                            },
                                            "subnet": {
                                                "id": "[variables('subnetRef')]"
                                            }
                                        }
                                    }
                                ]
                            },
                            "dependsOn": [
                                "[resourceId('Microsoft.Network/publicIPAddresses/', variables('pubipname'))]",
                                "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
                            ]
                        },
                        {
                            "type": "Microsoft.Compute/virtualMachines",
                            "name": "[variables('vmName')]",
                            "apiVersion": "2019-07-01",
                            "location": "[variables('region')]",
                            "properties": {
                                "hardwareProfile": {
                                    "vmSize": "Standard_F8s_v2"
                                },
                                "osProfile": {
                                    "computerName": "[variables('vmName')]",
                                    "adminUsername": "[variables('adminUsername')]",
                                    "adminPassword": "[variables('adminPassword')]"
                                },
                                "storageProfile": {
                                    "imageReference": {
                                        "id": "[resourceId('Microsoft.Compute/galleries/images/versions', variables('galleryName'), variables('galleryImageDefinitionName'), parameters('galleryImageVersionName'))]"
                                    }
                                },
                                "networkProfile": {
                                    "networkInterfaces": [
                                        {
                                            "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
                                        }
                                    ]
                                }
                            },
                            "dependsOn": [
                                "[resourceId('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
                            ]
                        }
                    ],
                    "outputs": {
                        "publicipn": {
                            "type": "string",
                            "value": "[reference(variables('pubipname')).dnsSettings.fqdn]"
                        },
                        "publicipa": {
                            "type": "string",
                            "value": "[reference(variables('pubipname')).ipAddress]"
                        }
                    }
                }
            }
        }
    ],
    "outputs": {
        "hostname": {
            "type": "string",
            "value": "[reference('nestedTemplate1').outputs.publicipn.value]"
        },
        "ipaddress": {
            "type": "string",
            "value": "[reference('nestedTemplate1').outputs.publicipa.value]"
        }
    }
}

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Deploy VM from Azure SIG in new Resource Group appeared first on Apostolidis Cloud Corner.

Infrastructure as Code, or just IaC, provides three three main advantages: cost reduction, faster execution and risk reduction, the attributes of the DevOps culture.

Microsoft Azure Resource Manager allows the managing and provisioning of Azure Resources, that can be Virtual Machines, Virtual Networks, Storage Accounts, Apps, SQL Databases and everything that a computer data center includes, through machine-readable definition files, known as JSON templates, without the need of physical hardware configuration or interactive configuration tools.

I am starting a series of posts about building infrastructure with JSON templates.

The tool I use to build my Azure Json templates is the Visual Studio Code. You can download it from https://code.visualstudio.com/ for every platform.

To work with Azure Resource Manager you need the Azure Resource Manager Tools extension. Open the VS Code, go to the Extensions Section, search and install the Azure Resource Manager Tools extension.

The extension is very helpful since it highlights the code, it provides references and intellisense.

At this post I am sharing & explaining my Azure json template for deploying a Virtual Network, a Network Security Group and a Route Table.

You can find and download my working template at my Git account :

https://github.com/proximagr/ARMTemplates/tree/master/VNET-2sub-NSG-UDR

Json Template Guide

Below you can find my template with comments, for better understanding.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
//** Define the Virtual Network Name */
    "vnetName": {
      "type": "string",
      "defaultValue": "Cloud-Corner-VNET",
      "metadata": {
        "description": "Cloud Corner VNET"
      }
//** Define the Address Space of the Virtual Network */
    },
      "vnetAddressPrefix": {
        "type": "string",
        "defaultValue": "10.0.0.0/24",
        "metadata": {
          "description": "Address prefix"
        }
//** Define the Address Space of the the First Subnet */
      },
      "subnet1Prefix": {
        "type": "string",
        "defaultValue": "10.0.0.0/27",
        "metadata": {
          "description": "Subnet 1 Prefix"
        }
//** Define the Name of the the First Subnet */
      },
      "subnet1Name": {
        "type": "string",
        "defaultValue": "Subnet1",
        "metadata": {
          "description": "Subnet 1 Name"
        }
//** Define the Address Space of the the Second Subnet */
      },
      "subnet2Prefix": {
        "type": "string",
        "defaultValue": "10.0.0.32/27",
        "metadata": {
          "description": "Subnet 2 Prefix"
        }
//** Define the Name of the the First Subnet */
      },
      "subnet2Name": {
        "type": "string",
        "defaultValue": "Subnet2",
        "metadata": {
          "description": "Subnet 2 Name"
        }
      },
//** Define the Name of the the Network Security Group */
      "networkSecurityGroup01Name": {
        "type": "string",
        "defaultValue": "Cloud-Corner-NSG-01",
        "metadata": {
          "description": "This is the name of the network security group"
        }
      },
//** Define the Name of the the First Route Table */
      "RouteTable01Name": {
        "type": "string",
        "defaultValue": "Cloud-Corner-UDR-01",
        "metadata": {
        "description": "Route Table 01 Name."
        }
      },
//** Define the Name of the the First Route of the First Route Table */
      "Route01Name": {
        "type": "string",
        "defaultValue": "To-internet",
        "metadata": {
          "description": "Route 01 Name."
        }
      },
//** Define the Next Hop Type of the the First Route of the First Route Table */
      "Route01NextHopType": {
        "type": "string",
        "allowedValues": [
        "VirtualNetworkGateway",
        "VnetLocal",
        "Internet",
        "VirtualAppliance",
        "None"
      ],
      "defaultValue": "VirtualAppliance",
        "metadata": {
          "description": "Route 01 Next Hop Type."
        }
      },
//** Define the Address Prefix of the First Route of the First Route Table */
      "Route01AddressPrefix": {
        "type": "string",
        "defaultValue": "0.0.0.0/0",
        "metadata": {
          "description": "Route 01 Address Prefix."
        }
      },
//** If you set "Virtyal Appliance for Next Hop Type, then you need to define the Next Hop IP Address, */
//** meaning the appliance's IP address. Here you define it for the First Route of the First Route Table */
        "RT01Route01NextHopIPAddress": {
        "type": "string",
        "defaultValue": "10.0.0.40",
        "metadata": {
          "description": "Next Hop IP Addess."
        }
      },
//** Define the Name of the Second Route Table */
      "RouteTable02Name": {
        "type": "string",
        "defaultValue": "Cloud-Corner-UDR-02",
        "metadata": {
          "description": "Route Table 02 Name."
        }
      },
//** Define the Name of the the First Route of the Second Route Table */
      "RT02Route01Name": {
        "type": "string",
        "defaultValue": "Local-Subnet",
        "metadata": {
        "description": "Route Table 02 Route 01 Name."
        }
      },
//** Define the Next Hop Type of the the First Route of the Second Route Table */
      "RT02Route01NextHopType": {
        "type": "string",
        "allowedValues": [
        "VirtualNetworkGateway",
        "VnetLocal",
        "Internet",
        "VirtualAppliance",
        "None"
      ],
      "defaultValue": "VnetLocal",
        "metadata": {
          "description": "Route 02 Next Hop Type."
        }
      },
//** Define the Address Prefix of the the First Route of the Second Route Table */
      "RT02Route01AddressPrefix": {
        "type": "string",
        "defaultValue": "10.0.0.0/27",
        "metadata": {
          "description": "Route Table 02 Route 01 Address Prefix."
        }
      },
//** Define the Name of the the Second Route of the Second Route Table */
        "RT02Route02Name": {
          "type": "string",
          "defaultValue": "To-subnet-1",
          "metadata": {
            "description": "Route Table 02 Route 01 Name."
          }
        },
//** Define the Next Hop Type of the the Second Route of the Second Route Table */
        "RT02Route02NextHopType": {
          "type": "string",
          "allowedValues": [
          "VirtualNetworkGateway",
          "VnetLocal",
          "Internet",
          "VirtualAppliance",
          "None"
        ],
        "defaultValue": "VirtualAppliance",
          "metadata": {
            "description": "Route 02 Next Hop Type."
          }
        },
//** Define the address prefix of the the Second Route of the Second Route Table */
        "RT02Route02AddressPrefix": {
          "type": "string",
          "defaultValue": "10.0.0.32/27",
          "metadata": {
            "description": "Route Table 02 Route 01 Address Prefix."
          }
      },
//** Define the next hop IP address (the virtual appliance's address) of the the Second Route of the Second Route Table */
        "RT02Route02NextHopIPAddress": {
          "type": "string",
          "defaultValue": "10.0.0.40",
          "metadata": {
            "description": "Next Hop IP Addess."
          }
        }
    },
//** I dont use any variables, you can exclude this section*/
  "variables": {},
  "resources": [
//* create the First Route Table & Route*/
    {
    "apiVersion": "2017-10-01",
    "type": "Microsoft.Network/routeTables",
    "name": "[parameters('RouteTable01Name')]",
    "location": "[resourceGroup().location]",
    "properties": {
    "disableBgpRoutePropagation": true,
    "routes": [
      {
        "name": "[parameters('Route01Name')]",
        "properties": {
          "addressPrefix": "[parameters('Route01AddressPrefix')]",
          "nextHopType": "[parameters('Route01NextHopType')]",
          "nextHopIpAddress": "[parameters('RT01Route01NextHopIPAddress')]"
          }
        }
      ]
    }
  },
//* create the Second Route Table & Routes*/
    {
    "apiVersion": "2017-10-01",
    "type": "Microsoft.Network/routeTables",
    "name": "[parameters('RouteTable02Name')]",
    "location": "[resourceGroup().location]",
    "properties": {
    "disableBgpRoutePropagation": true,
    "routes": [
      {
        "name": "[parameters('RT02Route01Name')]",
        "properties": {
          "addressPrefix": "[parameters('RT02Route01AddressPrefix')]",
          "nextHopType": "[parameters('RT02Route01NextHopType')]"
        }
      },
          {
        "name": "[parameters('RT02Route02Name')]",
        "properties": {
          "addressPrefix": "[parameters('RT02Route02AddressPrefix')]",
          "nextHopType": "[parameters('RT02Route02NextHopType')]",
          "nextHopIpAddress": "[parameters('RT02Route02NextHopIPAddress')]"
          }
        }
      ]
    }
  },
//* create teh Network Security Group */
    {
    "apiVersion": "2019-02-01",
    "type": "Microsoft.Network/networkSecurityGroups",
    "name": "[parameters('networkSecurityGroup01Name')]",
    "location": "[resourceGroup().location]",
    "properties": {
      "securityRules": [
        {
          "name": "HTTPS",
          "properties": {
            "description": "Open HTTPS to Public",
            "protocol": "Tcp",
            "sourcePortRange": "443",
            "destinationPortRange": "443",
            "sourceAddressPrefix": "*",
            "destinationAddressPrefix": "*",
            "access": "Allow",
            "priority": 101,
            "direction": "Inbound"
            }
          }
        ]
      }
    },
//* create the Virtual Network */
    {
      "apiVersion": "2018-10-01",
      "type": "Microsoft.Network/virtualNetworks",
      "name": "[parameters('vnetName')]",
      "location": "[resourceGroup().location]",
//*add a dependency in order to ensure that the NSG is created before the VNET, in order to be able to attach it*/
      "dependsOn": [
        "[parameters('networkSecurityGroup01Name')]"
      ],
      "properties": {
        "AddressSpace": {
          "AddressPrefixes": [
            "[parameters('vnetAddressPrefix')]"
          ]
        }
      },
      "resources": [
//* create the first subnet */
        {
        "apiVersion": "2018-10-01",
        "type": "subnets",
        "location": "[resourceGroup().location]",
        "name": "[parameters('subnet1Name')]",
//* add dependencies to create the resources with an order, because you need to ensure that the VNET is ready before creating the Subnet and also the Route Table*/
        "dependsOn": [
          "[parameters('vnetName')]",
          "[resourceId('Microsoft.Network/routeTables', parameters('RouteTable01Name'))]"
        ],
        "properties": {
        "AddressPrefix": "[parameters('subnet1Prefix')]",
//*attach the Newtork Securoty Group to the Subnet*/
        "networkSecurityGroup": {
        "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroup01Name'))]"},
//*attacht the First route table to the Subnet*/
        "routeTable": {
        "id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTable01Name'))]"
          }
         }
        },
//*create the second subnet*/
        {
        "apiVersion": "2018-10-01",
        "type": "subnets",
        "location": "[resourceGroup().location]",
        "name": "[parameters('subnet2Name')]",
        "dependsOn": [
          "[parameters('vnetName')]",
          "[parameters('subnet1Name')]",
          "[parameters('RouteTable02Name')]"
        ],
        "properties": {
          "AddressPrefix": "[parameters('subnet2Prefix')]",
//*attach the Newtork Securoty Group to the Subnet*/
          "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroup01Name'))]"},
//*attacht the second route table to the Subnet*/
          "routeTable": {
          "id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTable02Name'))]"
            }
          }
        }
      ]
    }
  ]
}

Deploy the template

Deploy the template directly from here:

More Azure Resource Manager Templates: https://www.e-apostolidis.gr/microsoft/azure/create-azure-file-shares-using-arm-template-powershell/

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Infrastructure as Code | Deploy a VNET & NSG & UDR appeared first on Apostolidis Cloud Corner.

Application Security Groups helps to manage the security of the Azure Virtual Machines by grouping them according the applications that runs on them. It is a feature that allows the application-centric use of Network Security Groups.

An example is always the best way to better understand a feature. So let’s say that in a Subnet we have some Web Servers and some Database Servers. The access rules of the Subnet’s Network Security Group to allow http, https & database access to those servers will be something like this:

Using only the Network Security Groups functionality we need to add the IP addresses of the servers to use them to the access lists. There are two major difficulties here:

1. For every rule we need to add all the IPs of the servers that will be included.
2. If there is an IP address change (e.g by adding or removing a server) then all the relative rules must change.

Use Application Security Groups

Now, lets see how we can bypass this complexity by using Application Security Groups, combined with Network Security Groups.

Create two Application Security Groups, one for the Web Servers and one for the Database Servers

At the Azure Portal, search for Application Security Groups

Provide a name and a Resource Group

Create one more with name Database Servers and at the Resource Group you will have those two Application Security Groups:

Then go each Virtual Machine and attach the relevant ASG.

Click the Virtual Machine and then go to the Networking settings blade, and press the “Configure the application security groups”

Select the relevant ASG and press save:

Do the same for all your servers. Finally open the Network Security Group. Open the https rule, at my example is the “https2WebServers” rule.  Change the Destination to “Application Security Group” and for Destination application security group select the Web Servers.

Same way change the database access rule and for Source add the “Database Server” ASG and for destination the “Web Servers” ASG. Now the NSG will look like this:

Now on when removing a VM from the Web Servers farm of the Database servers cluster there is no need to change anything at the NSG. When adding a new VM, the only thing we need to do is to attach the VM to the relative Application Security Group.

A Virtual Machine can be attached to more than one Application Security Group. This helps in cases of multi-application servers.

There are only two requirements:

• All network interfaces used in an ASG must be within the same VNet
• If ASGs are used in the source and destination, they must be within the same VNet

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Application Security Groups to simplify your Azure VMs network security appeared first on Apostolidis Cloud Corner.

Continuing the Azure Security Center posts, today we will see a new feature of the Security Center, called Just in Time VM Access.

As best security practice, all the management ports of a Virtual Machine should be closed using Network Security Groups. Only the ports required for any published services should be opened, if any.

However there are many occasions that we are requested to open a management port for administration or a service port for some tests for short time. This action has two major problems, first it requires a lot of administration time, because the administrator must go to the Azure Portal and add a rule at the VM’s NSG. The second problem is that many time the port is forgotten open and this is a major vulnerability since the majority of the Brute Force attacks are performed to the management ports, 22 and 3389.

Here comes the Azure Security Center, with the Just in Time VM Access feature. With this feature we can use the RBAC of the azure Portal and allow specific users to Request a predefined port to be opened for a short time frame.

JIT Configuration

Lets see how we configure the JIT.  First we need to go to the Azure Security Center. Scroll down to the ADVANCED CLOUD DEFENSE and click the “Just in time VM Access”. Since it is at a Preview you need to press the “Try Just in time VM access”

After we enable JIT, the window displays tree tabs, the Configured, the Recommended and the No recommendation. The Configured tab displays the Virtual Machines that we have already enabled JIT. The recommended are VMs that have NSGs and are recommended to be enabled for JIT. The No recommendation are Classic VMs or VMs that don’t have attached NSG.

To enable JIT for a VM, go to the Recommended tab, select one or more VMs and press “Enable JIT on x VMs”

At the “JIT VM access configuration” the Security Center proposes rule with the default management ports. We can add other ports that we need and also remove any of them that are unnecessary.

At each rule we can configure the Port, the Protocol, the Source IP and the Maximum request time.

If we leave the “Allowed source IPs” to “Per request” then we allow the requester to decide. One very interesting setting here is that when a user requests access it has the option to allow only the Public IP that he is using at that time automatically.

With the last option, the “Max request time” we narrow down the maximum time that we will allow a port to be opened.

After we configure all the parameters we click Save and the VM moves to the Configured tab. At any time we can change the configuration by selecting the VM, press the three dots at the end of the line (…) and click Edit.

The Propertied button opens the VM’s blade, the Activity log shows all the users that requested access and the Remove of course disabled the JIT.

Behind the scene

What really happens to the VM? if you browse to the NSG that is attached to the VM you will see that all the port rules configured at the JIT are added as NSG Rules with lower priority than all the other rules. All other rules automatically changed priority to higher.

Lets see how we request access and what happens in the background. To request access go to the Security Center / JIT , select the VM and press “Request Access”

At the “Request access” blade switch on the desired port, select “My IP” or “IP Range” and the Timerange, all according to the JIT configuration of the VM. Finally press “Open Ports”

At the above example I select “My IP” so if you go to the VM’s NSG you will see that the 3389 port rule changed to “Allow” and for Source has my current Public IP. Also it moved at first priority.

After the expiration of the time rage the port will change to “Deny” and move back to its prior priority.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Bulletproof manage your Azure VMs appeared first on Apostolidis Cloud Corner.