-
Auto-create Default Outbound NSG for Servers in Azure
Overview
In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.
NSG can be associated to subnets, individual NICs or both.
By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.
There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.
I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.
Implementation
Code – new
The following script uses Azure Powershell az.
As it doesn’t support GUI yet so there are more parameters to set before running it.
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859# JZ 20190712# This script creates a rule to allow outbound traffic to all Azure IPs# Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber# Parameters$subscriptionID = "00000000-aaaa-bbbb-cccc-0000000000"$selectedRegions = "australiaeast","australiasoutheast","australiac","australiac2"$rgName = "Resource-group-name"$nsgName = "network-security-group-name"$ruleName = "Allow_Outbound_to_Azure_IPs"$priorityNumber = 200# Sign-in with Azure account credentialsConnect-AzAccount# Select Azure SubscriptionSelect-AzSubscription -SubscriptionId $subscriptionID# Download current list of Azure Public IP ranges# See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list$downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"$downloadPage = Invoke-WebRequest -Uri $downloadUri$xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]$response = Invoke-WebRequest -Uri $xmlFileUri# Get list of regions & public IP ranges[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)$regions = $xmlResponse.AzurePublicIpAddresses.Region$ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange# combine all IPs# They need to be in an array format to use NSG augmented security rules$all_subnets=""ForEach ($subnet in $ipRange.Subnet) {$all_subnets+=$subnet$all_subnets+=","}$all_subnets=$all_subnets.trimend(",")$test=$all_subnets.split(",")# Add the NSG rules$nsg = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgNameAdd-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName `-Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber `-SourceAddressPrefix * -SourcePortRange * `-DestinationAddressPrefix $test -DestinationPortRange *Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgCode – old
The following script uses Azure Powershell.
Adjust the 3 parameters before running it.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778# JZ 20180810# This script creates a rule to allow outbound traffic to all Azure IPs# Note: before running, delete the existing NSG rule named $nsgName at priority $priorityNumber# Parameters$nsgName = "VLAN-webDMZ-Security-Group"$ruleName = "Allow_Outbound_to_Azure_IPs"$priorityNumber = 200# Sign-in with Azure account credentialsLogin-AzureRmAccount# Select Azure Subscription$subscriptionId =(Get-AzureRmSubscription |Out-GridView `-Title "Select an Azure Subscription ..." `-PassThru).SubscriptionIdSelect-AzureRmSubscription -SubscriptionId $subscriptionId# Select Azure Resource Group$rgName =(Get-AzureRmResourceGroup |Out-GridView `-Title "Select an Azure Resource Group ..." `-PassThru).ResourceGroupName# Download current list of Azure Public IP ranges# See https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653 for latest list$downloadUri = "https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653"$downloadPage = Invoke-WebRequest -Uri $downloadUri$xmlFileUri = ($downloadPage.RawContent.Split('"') -like "https://*PublicIps*")[0]$response = Invoke-WebRequest -Uri $xmlFileUri# Get list of regions & public IP ranges[xml]$xmlResponse = [System.Text.Encoding]::UTF8.GetString($response.Content)$regions = $xmlResponse.AzurePublicIpAddresses.Region# Select Azure regions for which to define NSG rules$selectedRegions =$regions.Name |Out-GridView `-Title "Select Azure Datacenter Regions ..." `-PassThru$ipRange = ( $regions | where-object Name -In $selectedRegions ).IpRange# combine all IPs# They need to be in an array format to use NSG augmented security rules$all_subnets=""ForEach ($subnet in $ipRange.Subnet) {$all_subnets+=$subnet$all_subnets+=","}$all_subnets=$all_subnets.trimend(",")$test=$all_subnets.split(",")# Add the NSG rules$nsg = Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgNameAdd-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name $ruleName `-Access Allow -Protocol * -Direction Outbound -Priority $priorityNumber `-SourceAddressPrefix * -SourcePortRange * `-DestinationAddressPrefix $test -DestinationPortRange *Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsgAfter running the code
After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as
- public DNS servers
- email services
- kms.core.windows.net:1688
- APIs,
- etc, that your applications may also need to access
Then, you can create a rule at the end of the NSG to block all outbound traffic.
Reference
[1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/
[2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic