Auto-create Default Outbound NSG for Servers in Azure
Overview
In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.
NSG can be associated to subnets, individual NICs or both.
By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.
There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.
I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.
Implementation
Code – new
The following script uses Azure Powershell az.
As it doesn’t support GUI yet so there are more parameters to set before running it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# JZ 20190712 # This script creates a rule to allow outbound traffic to all Azure IPs # Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber # Parameters $subscriptionID = "00000000-aaaa-bbbb-cccc-0000000000" $selectedRegions = "australiaeast","australiasoutheast","australiac","australiac2" $rgName = "Resource-group-name" $nsgName = "network-security-group-name" $ruleName = "Allow_Outbound_to_Azure_IPs" $priorityNumber = 200 # Sign-in with Azure account credentials Connect-AzAccount # Select Azure Subscription Select-AzSubscription -SubscriptionId $subscriptionID # Download current list of Azure Public IP ranges # See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list $downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653" $downloadPage = Invoke-WebRequest -Uri $downloadUri $xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0] $response = Invoke-WebRequest -Uri $xmlFileUri # Get list of regions & public IP ranges [xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content) $regions = $xmlResponse.AzurePublicIpAddresses.Region $ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange # combine all IPs # They need to be in an array format to use NSG augmented security rules $all_subnets="" ForEach ($subnet in $ipRange.Subnet) { $all_subnets+=$subnet $all_subnets+="," } $all_subnets=$all_subnets.trimend(",") $test=$all_subnets.split(",") # Add the NSG rules $nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName ` -Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber ` -SourceAddressPrefix * -SourcePortRange * ` -DestinationAddressPrefix $test -DestinationPortRange * Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg |
Code – old
The following script uses Azure Powershell.
Adjust the 3 parameters before running it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
# JZ 20180810 # This script creates a rule to allow outbound traffic to all Azure IPs # Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber # Parameters $nsgName = "VLAN-webDMZ-Security-Group" $ruleName = "Allow_Outbound_to_Azure_IPs" $priorityNumber = 200 # Sign-in with Azure account credentials Login-AzureRmAccount # Select Azure Subscription $subscriptionId = (Get-AzureRmSubscription | Out-GridView ` -Title "Select an Azure Subscription ..." ` -PassThru).SubscriptionId Select-AzureRmSubscription -SubscriptionId $subscriptionId # Select Azure Resource Group $rgName = (Get-AzureRmResourceGroup | Out-GridView ` -Title "Select an Azure Resource Group ..." ` -PassThru).ResourceGroupName # Download current list of Azure Public IP ranges # See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list $downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653" $downloadPage = Invoke-WebRequest -Uri $downloadUri $xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0] $response = Invoke-WebRequest -Uri $xmlFileUri # Get list of regions & public IP ranges [xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content) $regions = $xmlResponse.AzurePublicIpAddresses.Region # Select Azure regions for which to define NSG rules $selectedRegions = $regions.Name | Out-GridView ` -Title "Select Azure Datacenter Regions ..." ` -PassThru $ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange # combine all IPs # They need to be in an array format to use NSG augmented security rules $all_subnets="" ForEach ($subnet in $ipRange.Subnet) { $all_subnets+=$subnet $all_subnets+="," } $all_subnets=$all_subnets.trimend(",") $test=$all_subnets.split(",") # Add the NSG rules $nsg = Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName ` -Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber ` -SourceAddressPrefix * -SourcePortRange * ` -DestinationAddressPrefix $test -DestinationPortRange * Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg |
After running the code
After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as
- public DNS servers
- email services
- kms.core.windows.net:1688
- APIs,
- etc, that your applications may also need to access
Then, you can create a rule at the end of the NSG to block all outbound traffic.
Reference
[1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/
[2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic