lab-06 - Network Security Groups support for Private Endpoints¶
If you want to control traffic to and from a private endpoint, you must configure the Network Security Group (NSG) to allow or deny traffic to and from the private endpoint. You can do this by adding the private endpoint's IP address to the NSG's inbound and outbound security rules. For each rule, you can specify source and destination, port, and protocol. Security rules are evaluated and applied based on the five-tuple (source, source port, destination, destination port, and protocol) information.
In this lab we will implement the following requirements:
- allow access to SQL server and Azure KeyVault from IP range configured for Point-To-Site VPN
- deny access to SQL server and Azure KeyVault from testVM
Task #1 - test connectivity to SQL server and Azure KeyVault¶
First check that you can connect to SQL server and Azure KeyVault both from your PC and from testVM. Make sure that you are connected to VPN.
$keyvaultName = (az keyvault list -g iac-ws5-rg --query '[].name' -o tsv)
az keyvault secret list --vault-name $keyvaultName
From the Azure Data Studio, try to connect to your SQL Server.
Task #2 - implement and deploy Network Security Group using Bicep¶
Get private endpoints (plinks-snet
) and address prefix:
az network vnet subnet show -n plinks-snet -g iac-ws5-rg --vnet-name iac-ws5-vnet --query addressPrefix -o tsv
az network vnet subnet show -n testvm-snet -g iac-ws5-rg --vnet-name iac-ws5-vnet --query addressPrefix -o tsv
Create new nsg.bicep
file with following content. Use address prefix for privateLinkAddressPrefix
and testVMSubnetAddressPrefix
variables from the previous step (if you haven't change the default values, then these values are the same as in the example below)
param location string = resourceGroup().location
param prefix string = 'iac-ws5'
var nsgName = '${prefix}-ple-nsg'
var vpnClientAddressPrefix = '172.0.0.0/16'
var privateLinkAddressPrefix = '10.10.1.0/24'
var testVMSubnetAddressPrefix = '10.10.0.64/26'
resource nsg 'Microsoft.Network/networkSecurityGroups@2022-11-01' = {
name: nsgName
location: location
properties: {
securityRules: [
{
name: 'AllowHTTPSAccessFromVPN'
type: 'Microsoft.Network/networkSecurityGroups/securityRules'
properties: {
direction: 'Inbound'
access: 'Allow'
protocol: 'TCP'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: vpnClientAddressPrefix
destinationAddressPrefix: privateLinkAddressPrefix
priority: 100
}
}
{
name: 'AllowSQLAccessFromVPN'
type: 'Microsoft.Network/networkSecurityGroups/securityRules'
properties: {
direction: 'Inbound'
access: 'Allow'
protocol: 'TCP'
sourcePortRange: '*'
destinationPortRange: '1443'
sourceAddressPrefix: vpnClientAddressPrefix
destinationAddressPrefix: privateLinkAddressPrefix
priority: 110
}
}
{
name: 'DenyHTTPSAccessFromTestVM'
type: 'Microsoft.Network/networkSecurityGroups/securityRules'
properties: {
direction: 'Inbound'
access: 'Deny'
protocol: 'TCP'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: testVMSubnetAddressPrefix
destinationAddressPrefix: privateLinkAddressPrefix
priority: 120
}
}
{
name: 'DenySQLAccessFromTestVM'
type: 'Microsoft.Network/networkSecurityGroups/securityRules'
properties: {
direction: 'Inbound'
access: 'Deny'
protocol: 'TCP'
sourcePortRange: '*'
destinationPortRange: '1443'
sourceAddressPrefix: testVMSubnetAddressPrefix
destinationAddressPrefix: privateLinkAddressPrefix
priority: 130
}
}
]
}
}
Deploy NSG
It will deploy new NSG called iac-ws5-ple-nsg
with four rules.
Network security groups support for private endpoints
In order to enable NSG for private endpoint, you will need to set subnet's PrivateEndpointNetworkPolicies
property to Enabled
on the subnet containing private endpoint resources.
Assign NSG to the subnet and enable PrivateEndpointNetworkPolicies
property
az network vnet subnet update -g iac-ws5-rg --vnet-name iac-ws5-vnet -n plinks-snet --network-security-group iac-ws5-ple-nsg --disable-private-endpoint-network-policies false
Task #3 - test connectivity to SQL server and Azure KeyVault¶
Now, test connectivity to SQL server and Azure KeyVault both from your PC. You should be able to connect to SQL server and Azure KeyVault. Next, test connectivity to SQL server and Azure KeyVault from testVM. You should not be able to connect to SQL server and Azure KeyVault.
Note
It might take some minutes for NSG changes to take effect.
Links¶
- Manage network policies for private endpoints
- Network security groups
- Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
- Tutorial: Log network traffic to and from a virtual machine using the Azure portal
- Flow logging for network security groups