In the first part of our journey to deploying a web server in Azure, we created a Tuono Blueprint that created a resource group, virtual network, and subnet. This is the foundation for communication between the resources we are going to deploy.
In this part, we will look at creating a Network Security Group to open specific ports for our web server from the Azure Portal and from the simplicity of a few edits to our original Tuono Blueprint. We will create an inbound rule for SSH (port 22) and HTTP (port 80).
How do I create a Network Security Group in the Azure Portal?
Navigate to the Resource Groups page in the Azure Portal with the side blade or using the search bar and click add.
Select the Resource Group you created and assign the Security Group a name then click “Review + create”. Click “Create” on the review screen to create the Security Group.
How do I add SSH and HTTP ports to a Network Security Group in the Azure Portal?
Navigate to the new Network Security Group. On the inbound security rules, lets add our SSH and HTTP ports.
The following table outlines the settings for each required port.
|Source port ranges||*||*|
|Destination port ranges||22||80|
Click “Add” on the inbound security rule and use the table to create inbound rules to allow SSH and HTTP
When complete your inbound security rules will look like this.
Finally let’s associate the Network Security Group with the subnet we created as part of our Virtual Network in Part 1 of the series.
From the Network Security Group Select “Subnets” and then click “Associate”. Associate the subnet with the manual Virtual Network we created and the default subnet and click “OK”.
This leaves us with a new Security group with inbound ports 22 and 80 open and an associated subnet.
Tuono eliminates the manual steps
With Tuono, we can skip all of the manual steps by building on the Blueprint from Part 1. With a few small blueprint additions the Network Security Group, security hardening, and opening up our designated ports can be applied on top of the network we already created.
Creating the policy and firewall in the Tuono blueprint introduces us to protocols. Protocols allow you to open up specific ports and combine them in a firewall definition. Here you can see that we define the ssh and http protocols by assigning a port and tcp.
protocol: ssh: ports: - port: 22 proto: tcp http: ports: - port: 80 proto: tcp
We define a Blueprint firewall using the ssh and http protocol we defined above.
firewall: fw-external-access: rules: - protocols: ssh to: self - protocols: http to: self
The existing subnet is modified with firewall: fw-external-access to associate the network security group to the existing subnet.
subnet: subnet-walkthrough: range: 10.0.0.0/24 network: vnet-walkthrough firewall: fw-external-access public: true
Our complete Blueprint currently looks like the following and forms a groundwork of communication and security for the next part in the series where we will be deploying an NGINX webserver. Applying this blueprint will setup the defined Security Group and associate the subnet on the virtual network we created in Part 1 – Resource Group, Virtual Network, and Subnet.
# # This is an example blueprint that demonstrates the creation of an Azure webservice # --- location: region: my-region: country: USA area: northwest folder: azure-walkthrough: region: my-region networking: network: vnet-walkthrough: range: 10.0.0.0/16 public: true subnet: subnet-walkthrough: range: 10.0.0.0/24 network: vnet-walkthrough firewall: fw-external-access # Part 2 adds a Firewall to the subnet and marks it public public: true # Part 2 Protocols protocol: ssh: ports: - port: 22 proto: tcp http: ports: - port: 80 proto: tcp # Part 2 adds a Firewall using a protocol firewall: fw-external-access: rules: - protocols: ssh to: self - protocols: http to: self
Next up is Part 3 in our series, where we show you how to configure a virtual machine with nginx using cloud-init.
And in case you missed Part 1, click here to learn how to create a resource group, virtual network, and subnet.
Interested in turning code into infrastructure? Tuono’s “infrastructure as code” platform automates the deployment and ongoing management of web servers and many other Azure infrastructure objects. Our free Community Edition makes it easy to try and experience how Tuono’s complete automation platform enables you to quickly and confidently build repeatable infrastructure in Azure.