Shulou(Shulou.com)06/03 Report--

1. What is NSG?

The security group Network Security Group (NSG) is used to filter the network traffic in and out of Azure resources in the Azure virtual network (virtual network).

2. Related concepts of NSG:

NSG contains security rules, which are protocols that allow or deny inbound / outbound traffic.

The items that can be configured by security rules include:

Property describes the name the unique name in the network security group. A number with a priority between 100and 4096. Rules are processed in order of priority. Deal with the rule with a lower number first, because the lower the number, the higher the priority. Once the traffic matches a rule, processing stops. Therefore, all rules with lower priority (higher number) and the same attributes as the high priority rule are not processed. Source or destination

It can be any value, or it can be a single IP address, a classless interdomain routing (CIDR) block (for example, 10.0.0.0and24), a service tag, or an application security group.

The service tag represents a set of IP address prefixes in a given Azure service. See https://docs.azure.cn/zh-cn/virtual-network/service-tags-overview

Use application security groups to configure network security as an inherent extension of the application structure so that virtual machines can be grouped and network security policies can be defined based on these groups.

Protocol TCP, UDP, ICMP, or Any. Direction whether the rule applies to inbound or outbound traffic. Port range can specify a single port or port range. For example, you can specify 80 or 10000-10005. The operation allows or denies 3. Default security group rule: inbound AllowVNetInBound priority Source source port destination port protocol access 65000VirtualNetwork0-65535VirtualNetwork0-65535 arbitrarily allow AllowAzureLoadBalancerInBound priority Source source port destination port protocol access 65001AzureLoadBalancer0-655350.0.0.0ppb 00-65535 arbitrarily allow DenyAllInbound priority Source source port destination port destination port protocol access 655000.0.0.0Univer-655350.0.0.0lap00-65535arbitrarily deny outbound AllowVnetOutBound advantage Pre-Source source port destination port protocol access 65000VirtualNetwork0-65535VirtualNetwork0-65535 any allow AllowInternetOutBound priority Source source port destination port protocol access 650010.0.0.0Universe 00-65535Internet0-65535 arbitrary allow DenyAllOutBound priority Source source port destination port protocol access 655000.0.0.0Universe 00-65535arbitrary deny 4. What products does NSG try? Category service computing virtual machine: Linux or Windows

Virtual machine size set

Cloud services: virtual networks only (classic)

Azure Batch Network Application Gateway-WAF

* gateway

Azure firewall

Network virtual device data RedisCache

Azure SQL Database hosting instance Analysis Azure HDInsight Container Azure Kubernetes Service (AKS) WebAPI Management

Application Services Environment 5. NSG restrictions

Limited to Azure subscription

Network security group 5000 the number of NSG rules per NSG. Other considerations

Virtual IP of host nodes: basic infrastructure services (such as DHCP, DNS, IMDS, and health monitoring) are provided through virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Azure and are the only virtualized IP addresses for all regions and have no other purpose.

Licensing (key Management Service): Windows images running in virtual machines must be licensed. To ensure permission, a request is sent to the key management service host server that handles such queries. The request is made outbound through port 1688. This platform rule is disabled for deployments that are configured with the default route 0.0.0.0amp 0.

Virtual machines in the load balancing pool: the source port and address range of the application come from the source computer, not from the load balancer. The target port and address range belong to the target computer, not the load balancer.

Azure service instance: multiple instances of Azure services, such as HDInsight, application service environment, and virtual machine sizing set, are deployed in the virtual network subnet. Before applying a network security group to a subnet where resources are deployed, make sure that you are familiar with the port requirements for each service. If the port required for service is denied, the service will not work properly.

Send outbound email: Azure recommends using the authenticated SMTP relay service (usually connecting through TCP port 587, but often using other ports) to send email from the Azure virtual machine. The use of SMTP relay services in Azure is never restricted, regardless of the type of subscription. If an Azure subscription was created before November 15, 2017, in addition to being able to use the SMTP relay service, email can be sent directly through TCP port 25. If a subscription was created after November 15, 2017, you may not be able to send email directly through port 25. Outbound traffic over port 25 depends on the type of subscription, as follows:

Enterprise protocol: allows outbound traffic on port 25. Outbound email can be sent directly from the virtual machine to an external email provider, regardless of the Azure platform.

Standard prepaid package: blocked by default, need to submit a ticket to remove

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.