Azure Cloud Automation Quickstart – Network Security Group

In the first part of our journey to deploying a web server in Azure, we created a Tuono Blueprint that created a resource group, virtual network, and subnet. This is the foundation for communication between the resources we are going to deploy.

In this part, we will look at creating a Network Security Group to open specific ports for our web server from the Azure Portal and from the simplicity of a few edits to our original Tuono Blueprint. We will create an inbound rule for SSH (port 22) and HTTP (port 80).

How do I create a Network Security Group in the Azure Portal?

Navigate to the Resource Groups page in the Azure Portal with the side blade or using the search bar and click add.

Azure Network Security Groups

Select the Resource Group you created and assign the Security Group a name then click “Review + create”. Click “Create” on the review screen to create the Security Group.

Azure Create Network Security Group

How do I add SSH and HTTP ports to a Network Security Group in the Azure Portal?

Navigate to the new Network Security Group. On the inbound security rules, lets add our SSH and HTTP ports.

The following table outlines the settings for each required port.

Outbound RuleSSHHTTP
SourceAnyAny
Source port ranges**
DestinationAnyAny
Destination port ranges2280
ProtocolTCPTCP
ActionAllowAllow
Priority101102
Nameport-22-inboundport-80-inbound

Click “Add” on the inbound security rule and use the table to create inbound rules to allow SSH and HTTP

Azure Manual Security Group

When complete your inbound security rules will look like this.

Finally let’s associate the Network Security Group with the subnet we created as part of our Virtual Network in Part 1 of the series.

From the Network Security Group Select “Subnets” and then click “Associate”. Associate the subnet with the manual Virtual Network we created and the default subnet and click “OK”.

Azure Subnets

This leaves us with a new Security group with inbound ports 22 and 80 open and an associated subnet.

Tuono eliminates the manual steps

With Tuono, we can skip all of the manual steps by building on the Blueprint from Part 1. With a few small blueprint additions the Network Security Group, security hardening, and opening up our designated ports can be applied on top of the network we already created.

Creating the policy and firewall in the Tuono blueprint introduces us to protocols. Protocols allow you to open up specific ports and combine them in a firewall definition. Here you can see that we define the ssh and http protocols by assigning a port and tcp.

protocol:
    ssh:
      ports:
        - port: 22
          proto: tcp
    http:
      ports:
        - port: 80
          proto: tcp

We define a Blueprint firewall using the ssh and http protocol we defined above.

firewall:
    fw-external-access:
      rules:
        - protocols: ssh
          to: self
        - protocols: http
          to: self

The existing subnet is modified with firewall: fw-external-access to associate the network security group to the existing subnet.

subnet:
  subnet-walkthrough:
    range: 10.0.0.0/24
    network: vnet-walkthrough
    firewall: fw-external-access 
    public: true

Our complete Blueprint currently looks like the following and forms a groundwork of communication and security for the next part in the series where we will be deploying an NGINX webserver. Applying this blueprint will setup the defined Security Group and associate the subnet on the virtual network we created in Part 1 – Resource Group, Virtual Network, and Subnet.

#
# This is an example blueprint that demonstrates the creation of an Azure webservice
#
---
location:
  region:
    my-region:
      country: USA
      area: northwest
  folder:
    azure-walkthrough:
      region: my-region
networking:
  network:
    vnet-walkthrough:
      range: 10.0.0.0/16
      public: true
  subnet:
    subnet-walkthrough:
      range: 10.0.0.0/24
      network: vnet-walkthrough
      firewall: fw-external-access   # Part 2 adds a Firewall to the subnet and marks it public
      public: true

# Part 2 Protocols
  protocol:
    ssh:
      ports:
        - port: 22
          proto: tcp
    http:
      ports:
        - port: 80
          proto: tcp
          
# Part 2 adds a Firewall using a protocol
  firewall:
    fw-external-access:
      rules:
        - protocols: ssh
          to: self
        - protocols: http
          to: self

Next up is Part 3 in our series, where we show you how to configure a virtual machine with nginx using cloud-init.

And in case you missed Part 1, click here to learn how to create a resource group, virtual network, and subnet.

Interested in turning code into infrastructure? Tuono’s “infrastructure as code” platform automates the deployment and ongoing management of web servers and many other Azure infrastructure objects.  Our free Community Edition makes it easy to try and experience how Tuono’s complete automation platform enables you to quickly and confidently build repeatable infrastructure in Azure.

Deploy your first environment