By default, every Azure virtual machine (VM) has access to the Internet. Sometimes this is great, but in most enterprise environments, server’s have Internet access restricted. So, how to restrict Azure VMs gaining access to the Internet?
Restricting Internet access to your VMs in Azure isn’t difficult, but does require some baseline knowledge of Network Security. The solution can be achieved by making use of Azure NSG’s (Network Security Groups). Every VM will have an NSG when it is deployed. If you create an NSG beforehand, you can simply apply the same NSG to new VM deployments.
In the example below, I am going to update the NSG for a specific VM. Of course, once the NSG has been modified, you can apply this NSG to other VMs too and/or future VMs.
Let’s begin, if you go into the property settings of the VM, and select the Networking Settings, and select, “Add outbound port rule“. Click on the wrench, to switch from Basic to Advanced.
The Outbound Security Rule properties, as follows:
Wait, what do all of these fields mean?
- Source: The source can by any IP Address, or Range, or a default-service tag. CIDR ranges are also accepted.
- Source Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
- Destination: The destination can by any IP Address, or Range, or a default-service tag. CIDR ranges are also accepted.
- Destination Service Tag: There are a series of options here, but in short:
- Load Balancer: Any probes in the Azure Load Balancer
- Virtual Network: The Virtual Network the VM is connected to
- Internet: All network traffic in the public virtual network, (including all Azure services, such as Azure Traffic Manager, Storage and SQL)
- Azure Traffic Manager: Denotes the IP address from where the Azure Load Balancer health probes will origiante.
- Storage.*: Access to Azure storage services and/or specific Azure regions
- SQL.*: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
- Destination Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
- Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP.
- Action: Allow, or Deny access.
- Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority.
- Name: The name of the rule. Note, once created, it cannot be changed!
So, these are the values/settings I implemented as a result:
- Source: VirtualNetwork
- Source Port Ranges: *
- Destination: Service Tag
- Destination Service Tag: Internet
- Destination Port Ranges: *
- Protocol: Any
- Action: Deny
- Priority: 4096
- Name: Deny-Internet-Access
The Outbound Port Rules should look something like this now:
Once the rule has been submitted, and accepted, if we go to our VM, we will now most definitely be denied Internet access! Success!!
To learn more on Azure NSG (Network Security Groups), visit: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview