Protect Your DMZ Networks in the Cloud with Azure Network Security Groups

By Aaron Saposnik| July 14, 2015

In most organizations, the on-premises network is segregated into both a local network and one or more DMZ networks. These DMZ networks are used to segregate off systems and are often required for compliance and security purposes. However, for most cloud services—usually by default—all subnets within a private network have full access to all others, so the question becomes how to create these DMZ networks to ensure the proper level of security.

In Microsoft Azure, the answer is Network Security Groups (NSGs). Network Security Groups are a full access control list-(ACL) based solution that can be applied at the virtual machine or at the subnet level. These groups replace the native Virtual Machine (VM) endpoint functionality and allow for extremely granular management of access to your devices for both inbound and outbound network traffic. These ACLs can be configured by IP address or subnet and then further by protocol and port to ensure that the exact level of access has been granted to the system(s). By default, Network Security Groups also include tags for the Internet and for the Virtual Network to make assigning permissions easier.

For example, if your organization has a server in Azure that contains sensitive information such as credit card data or social security numbers, you may want to limit inbound access to this server only via a specific port for the database, and only from certain source servers. On the reverse, you may also want to block outbound internet access from this server so that anyone accessing the server can’t connect to other sites and upload data. All of these changes can be specified via a Network Security Group. As an added feature, when applying a Network Security Group at the VM level, the usual firewall limitations of access to devices in the same subnet always being allowed do not apply. Even if a server is in the same IP range as this resource, it will be blocked unless specifically allowed by the NSG.

When applying Network Security Groups there are a few things to consider. First, currently, the only way to setup a Network Security Group is via Powershell. Also, once a Network Security Group is applied the usual Endpoint functionality in the Azure web console will no longer be applicable and any changes made via that site will be ignored. However, since these groups can be applied on a VM or subnet basis it is possible to have a mixed environment with most systems using the standard Endpoint functionality and only DMZ-based systems using NSGs. Finally, just like any access control list-based security, it is possible to fully block all access to a device if an NSG is implemented incorrectly, and so care must be taken when designing the ACLs.

At BDO Digital, we have the experience to help design out your DMZ environment in Azure and implement the Network Security Groups to make this possible. Interested in adding this security to your environment? Contact BDO Digital and tell us about your business requirements.

Leveraging opportunities in the cloud