Systems

Auto-create Default Outbound NSG for Servers in Azure

Overview

In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

NSG can be associated to subnets, individual NICs or both.

By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.

Implementation

The following script uses Azure Powershell.

Adjust the 3 parameters before running it.

After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

  • public DNS servers
  • email services
  • kms.core.windows.net:1688
  • APIs,
  • etc, that your applications may also need to access

Then, you can create a rule at the end of the NSG to block all outbound traffic.

Reference

[1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/

[2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic

Leave a Reply