Tag: NSG

Cloud, KnowHow

Onboarding : Azure Secure APIs/Services

Topics

Related topics

Azure API Management Service [Source]

With Azure API Management Service we can:

  • Secure our backends APIs/Services
  • Expose the API/Service Products for external customers (exposes an OpenAPI endpoint)
  • Includes a secure API gateway
  • In case of Premium tier includes an Azure Traffic Manager
  • Throtteling the requests to prevent resource exhaustion
  • Set policies
  • Set Cache

Key concepts

Secure and isolate access to azure resources by using Network Security Group and Application Security Group

This section is only “what should we know about NSG and ASG”. To see the configuration refer to “Configure NSG and ASG“.

By using Network Security Group (NSG) can be specified which computer can be connected to application server [Source].
Network Security Group: is to secure network traffic for virtual machines
Virtual Network Service Endpoint: is for controlling network traffic to and from azure services e.g. storage, database
– Application Security Group:

Network security group
  • filter network traffic to or from azure resources
  • contains security rules that are configured to allow or deny inbound and outbound traffic.
  • can be used to filter traffic between virtual machines or subnets, both within a vnet and from the internet.
  • The allowed IP addresses can be configured in NSG as well.
  • NSG rules are applied to connection between on-prem to vnet or vnet to vnet.
Diagram of network security groups
Source

Network security group assignment

  • NSG is assigned to a network interface or subnet
  • NSG of a subnet is applied to all NIC in this subnet
  • NSG of subnet and NIC are evaluated separately
  • NSG on subnet instead of NIC reduces administration and management effort.
  • Each subnet and NIC can habe only one NSG
  • NSG supports TCP, UDP, ICMP, and operates at layer 4 of the OSI model.
  • Vnet and NSG must be in the same region

Network security group security rules

  • NSG contains one or more rules
  • Rules are allow or deny
  • Rule properites
    • Name
    • Priority 100..4096
    • Source [Any, IP Addresses|Service Tag|Application Security Group]
    • Source Port range
    • Protocol [Any|TCP|UDP|ICMP]
    • Destination [Any, IP Addresses|Service Tag|Application Security Group]
    • Destination Port range
    • Action [Allow|Deny]
  • Rules are evaluated by priority using 5-tuple information (Source, SourcePort, Destination, DestinationPort, Protocol)
  • The rule with lower priority will takeplace e.g. 200 (Allow 3389 RDP) and 150 (Deny 3389 RDP). 150 will takeplace.
  • With NSG, connections are stateful. It means, return traffic is automatically allowed for the same TCP/UDP session e.g. inbound rule allows traffic on port 80 also allows the vm to response the request. A corresponding outbound rule is not needed.
This image has an empty alt attribute; its file name is image-46.png
Add Inbound rule pane
  • Service tag can allow or deny traffic to a spesific azure service either globally or per region. Therefore you don’t need to know the IP address and port os the service because azure does it for you.
  • Microosft create the service tags (you cannot create your own)
  • Some examples of the tags are:
    • VirtualNetwork – This tag represents all virtual network addresses anywhere in Azure, and in your on-premises network if you’re using hybrid connectivity.
    • AzureLoadBalancer – This tag denotes Azure’s infrastructure load balancer. The tag translates to the virtual IP address of the host (168.63.129.16) where Azure health probes originate.
    • Internet – This tag represents anything outside the virtual network address that is publicly reachable, including resources that have public IP addresses. One such resource is the Web Apps feature of Azure App Service.
    • AzureTrafficManager – This tag represents the IP address for Azure Traffic Manager.
    • Storage – This tag represents the IP address space for Azure Storage. You can specify whether traffic is allowed or denied. You can also specify if access is allowed only to a specific region, but you can’t select individual storage accounts.
    • SQL – This tag represents the address for Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse services. You can specify whether traffic is allowed or denied, and you can limit to a specific region.
    • AppService – This tag represents address prefixes for Azure App Service.
This image has an empty alt attribute; its file name is image-47.png
service Tag

Scenario: We have a WebServer in Subnet1 and SQL Server in Subnet2. NSG must only allow 1433 for SQL.

Scenario: Suppose your company wants to restrict access to resources in your datacenter, spread across several network address ranges. With augmented rules, you can add all these ranges into a single rule, reducing the administrative overhead and complexity in your network security groups.

Network security group default rules

  • default rules connot be deleted or changed but can be overriden
This image has an empty alt attribute; its file name is image-45.png
NSG Overview
Application Security Group (ASG)

Scenario: your company has a number of front-end servers in a virtual network. The web servers must be accessible over ports 80 and 8080. Database servers must be accessible over port 1433. You assign the network interfaces for the web servers to one application security group, and the network interfaces for the database servers to another application security group. You then create two inbound rules in your network security group. One rule allows HTTP traffic to all servers in the web server application security group. The other rule allows SQL traffic to all servers in the database server application security group.

  • Application security group let you configure network security for resources used by specific application.
  • It’s for grouping Vms logically, no matter what ip address is or in which subnet assigned
  • Using ASG within NSG to apply a security rule to a group of resources, after that should only the resources be added to ASG.
  • ASG let us to group network interfaces together and the ASG can be used as Source or Destination in NSG.
Diagram of application security groups

Secure and isolate access to azure resources by using Service Enpoints

Coming soon…

Source

Secure backend API by using API Management

Transformation Policies
  • Companies that publish web APIs often need to control the behavior of those APIs without recoding them.
  • Technical informations have to be removed from responses/header.
  • with api management we can do it without changing the code and only with policies
Response Headers.
Response Header [Source]

Scenario: The agency has created an API to make recent and historical census data available. They want to prevent any unnecessary back-end information from being exposed that could be used in malicious attacks. They would also like to prevent abuse of the APIs in the form of a large volume of requests and need a mechanism to throttle requests if they exceed an allowed amount. They are serving their APIs on the Azure API Management service and would like to implement policies to address these concerns.

  • add a policy to remove the X-Powered-By header from responses via adding a policy to outbound
<outbound>
   <set-header name="X-Powered-By" exists-action="delete" />
   <base />
</outbound>

List of some of the available policies

TransformDetail
Convert JSON to XMLConverts a request or response body from JSON to XML.
Convert XML to JSONConverts a request or response body from XML to JSON.
Find and replace string in bodyFinds a request or response substring and replaces it with a different substring.
Mask URLs in contentRewrites links in the response body so that they point to the equivalent link through the gateway.
by adding <redirect-content-urls /> in outbount section, all backend urls are replaced with apim endpoint url.
Set backend serviceChanges the backend service for an incoming request.
Set bodySets the message body for incoming and outgoing requests.
Set HTTP headerAssigns a value to an existing response or request header, or adds a new response or request header.
Set query string parameterAdds, replaces the value of, or deletes a request query string parameter.
Rewrite URLConverts a request URL from its public form to the form expected by the web service.
Transform XML using an XSLTApplies an XSL transformation to the XML in the request or response body.
Throttling policies
ThrottlingDetail
Throttle API requestsa few users over-use an API to the extent that you incur extra costs or that responsiveness to other uses is reduced. You can use throttling to limit access to API endpoints by putting limits on the number of times an API can be called within a specified period of time
<rate-limit calls=”3″ renewal-period=”15″ /> and user receives 429 error when that limit was reached
#  applies to all API operations
<rate-limit calls="3" renewal-period="15" />

# target a particular API operation
<rate-limit calls="number" renewal-period="seconds">
    <api name="API name" id="API id" calls="number" renewal-period="seconds" />
        <operation name="operation name" id="operation id" calls="number" renewal-period="seconds" />
    </api>
</rate-limit>

#it applies the limit to a specified request key, often the client IP address. It gives every client equal bandwidth for calling the API
<rate-limit-by-key calls="number"
                   renewal-period="seconds"
                   increment-condition="condition"
                   counter-key="key value" />

# limit rate limit by a requests IP Address
<rate-limit-by-key calls="10"
              renewal-period="60"
              increment-condition="@(context.Response.StatusCode == 200)"
              counter-key="@(context.Request.IpAddress)"/>
# When you choose to throttle by key, you will need to decide on specific requirements for rate limiting. For example, the table below lists three common ways of specifying the counter-key:
Value	                          Detail
context.Request.IpAddress	  Rates limited by client IP address
context.Subscription.Id	          Rates limited by subscription ID
context.Request.Headers.GetValue("My-Custom-Header-Value")	Rates limited by a specified client request header value

Note: The <rate-limit-by-key> policy is not available when your API Management gateway is in the Consumption tier. You can use <rate-limit>instead.

Authentication policies

Source: https://docs.microsoft.com/en-us/learn/modules/protect-apis-on-api-management/

Azure Cloud, Cloud

Onboarding : Azure Configure NSG, ASG, Firewall, and Service Endpoints

Topics

Configure Network Security Group (NSG)

The following figure demonstrates, what we implement in the following code [Source].

Diagram of exercise scenario network security groups
# Define variable
rg=<resource group name>

# create a resource group
az group create --name $rg --location <location>

# Create a virtual network and subnet for application servers and database servers
az network vnet create \
    --resource-group $rg \
    --name ERP-servers \
    --address-prefix 10.0.0.0/16 \
    --subnet-name Applications \
    --subnet-prefix 10.0.0.0/24

az network vnet subnet create \
    --resource-group $rg \
    --vnet-name ERP-servers \
    --address-prefix 10.0.1.0/24 \
    --name Databases

# Create Network Security Group
az network nsg create \
    --resource-group $rg \
    --name ERP-SERVERS-NSG

# Create virtual machines running Ubuntu (build the AppServer virtual machine)
# NSG is assigned to NIC of the VM
wget -N https://raw.githubusercontent.com/MicrosoftDocs/mslearn-secure-and-isolate-with-nsg-and-service-endpoints/master/cloud-init.yml && \
az vm create \
    --resource-group $rg \
    --name AppServer \
    --vnet-name ERP-servers \
    --subnet Applications \
    --nsg ERP-SERVERS-NSG \
    --image UbuntuLTS \
    --size Standard_DS1_v2 \
    --admin-username azureuser \
    --custom-data cloud-init.yml \
    --no-wait \
    --admin-password <password>

# build the DataServer virtual machine
az vm create \
    --resource-group $rg \
    --name DataServer \
    --vnet-name ERP-servers \
    --subnet Databases \
    --nsg ERP-SERVERS-NSG \
    --size Standard_DS1_v2 \
    --image UbuntuLTS \
    --admin-username azureuser \
    --custom-data cloud-init.yml \
    --admin-password <password>

# To confirm that the virtual machines are running
az vm list \
    --resource-group $rg \
    --show-details \
    --query "[*].{Name:name, Provisioned:provisioningState, Power:powerState}" \
    --output table

# To connect to your virtual machines, use SSH directly from Cloud Shell. To do this, you need the public IP addresses that have been assigned to your virtual machines
az vm list \
    --resource-group $rg \
    --show-details \
    --query "[*].{Name:name, PrivateIP:privateIps, PublicIP:publicIps}" \
    --output table

# To make it easier to connect to your virtual machines during the rest of this exercise, assign the public IP addresses to variables
APPSERVERIP="$(az vm list-ip-addresses \
                 --resource-group $rg \
                 --name AppServer \
                 --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
                 --output tsv)"

DATASERVERIP="$(az vm list-ip-addresses \
                 --resource-group $rg \
                 --name DataServer \
                 --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
                 --output tsv)"

# to check whether you can connect to your AppServer virtual machine
ssh azureuser@$APPSERVERIP -o ConnectTimeout=5
# You'll get a Connection timed out message.

# to check whether you can connect to your DataServer virtual machine
ssh azureuser@$DATASERVERIP -o ConnectTimeout=5
# You'll get the same connection failure message.

Remember that the default rules deny all inbound traffic into a virtual network, unless this traffic is coming from another virtual network. The Deny All Inbound rule blocked the inbound SSH connections

Inbound

NamePrioritySource IPDestination IPAccess
Allow VNet Inbound65000VIRTUAL_NETWORKVIRTUAL_NETWORKAllow
Deny All Inbound65500**Deny
Create a security rule for SSH
# Create a security rule for SSH
az network nsg rule create \
    --resource-group $rg \
    --nsg-name ERP-SERVERS-NSG \
    --name AllowSSHRule \
    --direction Inbound \
    --priority 100 \
    --source-address-prefixes '*' \
    --source-port-ranges '*' \
    --destination-address-prefixes '*' \
    --destination-port-ranges 22 \
    --access Allow \
    --protocol Tcp \
    --description "Allow inbound SSH"

# check whether you can now connect to your AppServer virtual machine
ssh azureuser@$APPSERVERIP -o ConnectTimeout=5

ssh azureuser@$DATASERVERIP -o ConnectTimeout=5

# You will be asked "are you sure to continue?", you answer with yes, and enter password
# for exit enter exit
Create a security rule to prevent web access
Server nameIP address
AppServer10.0.0.4
DataServer10.0.1.4
# Now add a rule so that AppServer can communicate with DataServer over HTTP, but DataServer can't communicate with AppServer over HTTP
az network nsg rule create \
    --resource-group $rg \
    --nsg-name ERP-SERVERS-NSG \
    --name httpRule \
    --direction Inbound \
    --priority 150 \
    --source-address-prefixes 10.0.1.4 \
    --source-port-ranges '*' \
    --destination-address-prefixes 10.0.0.4 \
    --destination-port-ranges 80 \
    --access Deny \
    --protocol Tcp \
    --description "Deny from DataServer to AppServer on port 80"

# to connect to your AppServer virtual machine, and check if AppServer can communicate with DataServer over HTTP.
ssh -t azureuser@$APPSERVERIP 'wget http://10.0.1.4; exit; bash'
# he response should include a 200 OK message.

# to connect to your DataServer virtual machine, and check if DataServer can communicate with AppServer over HTTP
ssh -t azureuser@$DATASERVERIP 'wget http://10.0.0.4; exit; bash'
# his shouldn't succeed, because you've blocked access over port 80. Press Ctrl+C to stop the command prior to the timeout.

Configure Application Security Group (ASG)

The following figure demonstrates, what we implement in this section.

Create an application security group for database servers, so that all servers in this group can be assigned the same settings. You’re planning to deploy more database servers, and want to prevent these servers from accessing application servers over HTTP. By assigning sources in the application security group, you don’t need to manually maintain a list of IP addresses in the network security group. Instead, you assign the network interfaces of the virtual machines you want to manage to the application security group.

Diagram of exercise scenario application security groups
# create a new application security group called ERP-DB-SERVERS-ASG
az network asg create \
    --resource-group $rg \
    --name ERP-DB-SERVERS-ASG

# to associate DataServer with the application security group
az network nic ip-config update \
    --resource-group $rg \
    --application-security-groups ERP-DB-SERVERS-ASG \
    --name ipconfigDataServer \
    --nic-name DataServerVMNic \
    --vnet-name ERP-servers \
    --subnet Databases

# to update the HTTP rule in the ERP-SERVERS-NSG network security group. It should reference the ERP-DB-Servers application security group
az network nsg rule update \
    --resource-group $rg \
    --nsg-name ERP-SERVERS-NSG \
    --name httpRule \
    --direction Inbound \
    --priority 150 \
    --source-address-prefixes "" \
    --source-port-ranges '*' \
    --source-asgs ERP-DB-SERVERS-ASG \
    --destination-address-prefixes 10.0.0.4 \
    --destination-port-ranges 80 \
    --access Deny \
    --protocol Tcp \
    --description "Deny from DataServer to AppServer on port 80 using application security group"

# to connect to your AppServer virtual machine, and check if AppServer can communicate with DataServer over HTTP.
ssh -t azureuser@$APPSERVERIP 'wget http://10.0.1.4; exit; bash'
# the response should include a 200 OK message.

# to connect to your DataServer virtual machine, and check if DataServer can communicate with AppServer over HTTP.
ssh -t azureuser@$DATASERVERIP 'wget http://10.0.0.4; exit; bash'
# you should get a Connection timed out message. Press Ctrl+C to stop the command prior to the timeout.

Configure Service Firewall

Storage
  • Storage has a layered security model
  • The layered model enables us to secure storage to a specific set of supported networks
  • To use network, the network rules must be configured.
  • Only applications requesting data from over specific networks can access storage.
  • The application request can go through the network rules, but this application must have an authorization on the storage as well
    • Authorization can be done via Storage Access Key (for blob & queue).
    • Or Authorization can be done via Share Access Signature (SAS) (for blob & queue).
  • In both case the authorization is done via Azure Active Directory.
  • Network rules are enforced are protocols e.g. REST and SMB
How network rules must be configured
  1. Deny access to traffic from all networks (it will be done automatically after first config).
  2. Grant access to the traffic of specific vnet (for secure application boundary).
  3. Then if needed grant access to public internet IP/IP range or on-prem.
  4. Configure network rules for Azure Portal, Storage Explorer, and AZCopy
  5. VM disk traffic (mount, unmount, disk io) is not affected by network rules.
  6. REST access is affected by network rules
  7. Classic storage don’t support firewall and vnet.
Shared Access Signature (SAS)
  • This access token is not related to securing storage via vnet
  • The IP address that has some authorization on storage can work with storage again even after configuring network rules.

Configure Service Endpoints

Storage

Resources