• Auto-create Default Outbound NSG for Servers in Azure

    Overview

    In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

    NSG can be associated to subnets, individual NICs or both.

    By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

    There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

    I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.

    Implementation

    Code – new

    The following script uses Azure Powershell az.

    As it doesn’t support GUI yet so there are more parameters to set before running it.

    Code – old

    The following script uses Azure Powershell.

    Adjust the 3 parameters before running it.

    After running the code

    After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

    • public DNS servers
    • email services
    • kms.core.windows.net:1688
    • APIs,
    • etc, that your applications may also need to access

    Then, you can create a rule at the end of the NSG to block all outbound traffic.

    Reference

    [1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/

    [2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic

  • Exchange – “send as” and “send on behalf” records

    In Exchange 2010 and 2013, when you configure “send as” and “send on behalf” for a mailbox or shared mailbox, by default the sent emails are only copied to sender’s sent box but not from’s mailbox.

    If multiple persons have access to the same mailbox or shared mailbox, they may want to see the email/reply sent by other persons so that they are aware of the status/conversation.

    To copy sent emails to both sender and from mailbox: