Filter network traffic with a network security group using the Azure CLI
You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group. Network security groups contain security rules that filter network traffic by IP address, port, and protocol. Security rules are applied to resources deployed in a subnet. In this article, you learn how to:
- Create a network security group and security rules
- Create a virtual network and associate a network security group to a subnet
- Deploy virtual machines (VM) into a subnet
- Test traffic filters
If you don't have an Azure trail subscription, create a trial subscription before you begin.
Prerequisites
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
This article requires version 2.0.28 or later of the Azure CLI.
Note
Before you can use Azure CLI in Microsoft Azure operated by 21Vianet, please run az cloud set -n AzureChinaCloud
first to change the cloud environment. If you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud
again.
Create a network security group
A network security group contains security rules. Security rules specify a source and destination. Sources and destinations can be application security groups.
Create application security groups
First create a resource group for all the resources created in this article with az group create. The following example creates a resource group in the chinaeast location:
az group create \
--name test-rg \
--location chinaeast
Create an application security group with az network asg create. An application security group enables you to group servers with similar port filtering requirements. The following example creates two application security groups.
az network asg create \
--resource-group test-rg \
--name asg-web-servers \
--location chinaeast
az network asg create \
--resource-group test-rg \
--name asg-mgmt-servers \
--location chinaeast
Create a network security group
Create a network security group with az network nsg create. The following example creates a network security group named nsg-1:
# Create a network security group
az network nsg create \
--resource-group test-rg \
--name nsg-1
Create security rules
Create a security rule with az network nsg rule create. The following example creates a rule that allows traffic inbound from the internet to the asg-web-servers application security group over ports 80 and 443:
az network nsg rule create \
--resource-group test-rg \
--nsg-name nsg-1 \
--name Allow-Web-All \
--access Allow \
--protocol Tcp \
--direction Inbound \
--priority 100 \
--source-address-prefix Internet \
--source-port-range "*" \
--destination-asgs "asg-web-servers" \
--destination-port-range 80 443
The following example creates a rule that allows traffic inbound from the Internet to the asg-mgmt-servers application security group over port 22:
az network nsg rule create \
--resource-group test-rg \
--nsg-name nsg-1 \
--name Allow-SSH-All \
--access Allow \
--protocol Tcp \
--direction Inbound \
--priority 110 \
--source-address-prefix Internet \
--source-port-range "*" \
--destination-asgs "asg-mgmt-servers" \
--destination-port-range 22
In this article, the asg-mgmt-servers asg exposes SSH (port 22) to the internet. For production environments, use a VPN or private network connection to manage Azure resources instead of exposing port 22 to the internet.
Create a virtual network
Create a virtual network with az network vnet create. The following example creates a virtual named vnet-1:
az network vnet create \
--name vnet-1 \
--resource-group test-rg \
--address-prefixes 10.0.0.0/16
Add a subnet to a virtual network with az network vnet subnet create. The following example adds a subnet named subnet-1 to the virtual network and associates the nsg-1 network security group to it:
az network vnet subnet create \
--vnet-name vnet-1 \
--resource-group test-rg \
--name subnet-1 \
--address-prefix 10.0.0.0/24 \
--network-security-group nsg-1
Create virtual machines
Create two VMs in the virtual network so you can validate traffic filtering in a later step.
Create a VM with az vm create. The following example creates a VM that serves as a web server. The --asgs asg-web-servers
option causes Azure to make the network interface it creates for the VM a member of the asg-web-servers application security group. The --nsg ""
option is specified to prevent Azure from creating a default network security group for the network interface Azure creates when it creates the VM. The command prompts you to create a password for the VM. SSH keys aren't used in this example to facilitate the later steps in this article. In a production environment, use SSH keys for security.
az vm create \
--resource-group test-rg \
--name vm-web \
--image Ubuntu2204 \
--vnet-name vnet-1 \
--subnet subnet-1 \
--nsg "" \
--asgs asg-web-servers \
--admin-username azureuser \
--authentication-type password \
--assign-identity
The VM takes a few minutes to create. After the VM is created, output similar to the following example is returned:
{
"fqdns": "",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Compute/virtualMachines/vm-web",
"location": "chinaeast",
"macAddress": "00-0D-3A-23-9A-49",
"powerState": "VM running",
"privateIpAddress": "10.0.0.4",
"publicIpAddress": "203.0.113.24",
"resourceGroup": "test-rg"
}
Create a VM with az vm create. The following example creates a VM that serves as a management server. The --asgs asg-mgmt-servers
option causes Azure to make the network interface it creates for the VM a member of the asg-mgmt-servers application security group.
The following example creates a VM and adds a user account. The --generate-ssh-keys
parameter causes the CLI to look for an available ssh key in ~/.ssh
. If one is found, that key is used. If not, one is generated and stored in ~/.ssh
. Finally, we deploy the latest Ubuntu 22.04
image.
az vm create \
--resource-group test-rg \
--name vm-mgmt \
--image Ubuntu2204 \
--vnet-name vnet-1 \
--subnet subnet-1 \
--nsg "" \
--asgs asg-mgmt-servers \
--admin-username azureuser \
--generate-ssh-keys \
--assign-identity
The VM takes a few minutes to create. Don't continue with the next step until Azure finishes creating the VM.
Enable Microsoft Entra ID sign in for the virtual machines
The following code example the extension to enable a Microsoft Entra ID sign-in for a Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines.
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADSSHLoginForLinux \
--resource-group test-rg \
--vm-name vm-web
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADSSHLoginForLinux \
--resource-group test-rg \
--vm-name vm-mgmt
Test traffic filters
Using an SSH client of your choice, connect to the VMs created previously. For example, the following command can be used from a command line interface such as Windows Subsystem for Linux to create an SSH session with the vm-mgmt VM. In the previous steps, we enabled Microsoft Entra ID sign-in for the VMs. You can sign-in to the virtual machines using your Microsoft Entra ID credentials or you can use the SSH key that you used to create the VMs. In the following example, we use the SSH key to sign in to management VM and then sign in to the web VM from the management VM with a password.
For more information about how to SSH to a Linux VM and sign in with Microsoft Entra ID, see Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH.
Store IP address of VM in order to SSH
Run the following command to store the IP address of the VM as an environment variable:
export IP_ADDRESS=$(az vm show --show-details --resource-group test-rg --name vm-mgmt --query publicIps --output tsv)
ssh -o StrictHostKeyChecking=no azureuser@$IP_ADDRESS
The connection succeeds because the network interface attached to the vm-mgmt VM is in the asg-mgmt-servers application security group, which allows port 22 inbound from the Internet.
Use the following command to SSH to the vm-web VM from the vm-mgmt VM:
ssh -o StrictHostKeyChecking=no azureuser@vm-web
The connection succeeds because a default security rule within each network security group allows traffic over all ports between all IP addresses within a virtual network. You can't SSH to the vm-web VM from the Internet because the security rule for the asg-web-servers doesn't allow port 22 inbound from the Internet.
Use the following commands to install the nginx web server on the vm-web VM:
# Update package source
sudo apt-get -y update
# Install NGINX
sudo apt-get -y install nginx
The vm-web VM is allowed outbound to the Internet to retrieve nginx because a default security rule allows all outbound traffic to the Internet. Exit the vm-web SSH session, which leaves you at the username@vm-mgmt:~$
prompt of the vm-mgmt VM. To retrieve the nginx welcome screen from the vm-web VM, enter the following command:
curl vm-web
Sign out of the vm-mgmt VM. To confirm that you can access the vm-web web server from outside of Azure, enter curl <publicIpAddress>
from your own computer. The connection succeeds because the asg-web-servers application security group, which the network interface attached to the vm-web VM is in, allows port 80 inbound from the Internet.
Clean up resources
When no longer needed, use az group delete to remove the resource group and all of the resources it contains.
az group delete \
--name test-rg \
--yes \
--no-wait
Next steps
In this article, you created a network security group and associated it to a virtual network subnet. To learn more about network security groups, see Network security group overview and Manage a network security group.
Azure routes traffic between subnets by default. You can instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see Create a route table.