WEBVTT 0:00:02.840000 --> 0:00:07.360000 Hi, in this video I want to talk about deploying network security groups 0:00:07.360000 --> 0:00:11.000000 or NSGs as they are typically referred. 0:00:11.000000 --> 0:00:14.620000 And what we're going to do is we'll start out in this video with an overview 0:00:14.620000 --> 0:00:18.400000 of what network security groups are and how they work. 0:00:18.400000 --> 0:00:22.960000 Then we're going to go briefly through some of the common ports and these 0:00:22.960000 --> 0:00:25.820000 are things that you probably know but it's just a quick little reference 0:00:25.820000 --> 0:00:29.300000 that I've put together just in case you need it if you're studying or 0:00:29.300000 --> 0:00:35.100000 anything else. And then we'll talk about defining NSG rules, what they 0:00:35.100000 --> 0:00:37.740000 are, what the components are, how you define the rules. 0:00:37.740000 --> 0:00:39.660000 We'll talk about a couple of additional topics. 0:00:39.660000 --> 0:00:43.460000 We'll talk about service tags, what service tags are and how you can use 0:00:43.460000 --> 0:00:46.780000 them. And we'll also talk about application security groups and how you 0:00:46.780000 --> 0:00:52.340000 can use those to potentially dramatically simplify the implementation 0:00:52.340000 --> 0:00:53.380000 of network security groups. 0:00:53.380000 --> 0:00:58.720000 And then finally, I am going to demonstrate Azure network security groups, 0:00:58.720000 --> 0:01:01.500000 how you can apply them, how you provision them, how you apply them and 0:01:01.500000 --> 0:01:06.160000 also how you can take advantage of application security groups within 0:01:06.160000 --> 0:01:10.740000 them. So let's go ahead and let's get started. 0:01:10.740000 --> 0:01:15.300000 I want to start talking about what a network security group is. 0:01:15.300000 --> 0:01:20.880000 And the network security group is really a container for rules. 0:01:20.880000 --> 0:01:28.200000 So I can think of having this NSG over here and the NSG is its own resource 0:01:28.200000 --> 0:01:31.880000 in Azure. And then within the NSG, I define rules. 0:01:31.880000 --> 0:01:35.200000 And we'll talk about the details of the rules but just kind of big picture. 0:01:35.200000 --> 0:01:37.320000 And so I can have multiple rules. 0:01:37.320000 --> 0:01:40.080000 Now there's two kinds of rules. 0:01:40.080000 --> 0:01:45.880000 There are system default rules which we'll look at and you can't change 0:01:45.880000 --> 0:01:52.580000 those or delete them but you can create your own rules that take precedence 0:01:52.580000 --> 0:01:54.860000 over the system rules. 0:01:54.860000 --> 0:02:01.880000 And so I can have custom rule one, for example, etc. 0:02:01.880000 --> 0:02:05.080000 And so I have this NSG, it has these rules that are going to dictate what 0:02:05.080000 --> 0:02:11.540000 kind of traffic can go through the really in the end to the virtual machines. 0:02:11.540000 --> 0:02:16.160000 If I think about virtual machines, I've got my VM here. 0:02:16.160000 --> 0:02:22.000000 I've got a NIC and I've got the VNet. 0:02:22.000000 --> 0:02:29.860000 And then of course I've got a subnet. 0:02:29.860000 --> 0:02:33.800000 Not going to worry about IP addressing right now because it doesn't really 0:02:33.800000 --> 0:02:35.640000 matter. It's not. 0:02:35.640000 --> 0:02:38.540000 So the VM is attached to the NIC. 0:02:38.540000 --> 0:02:44.760000 Configure with the NIC, the NIC is associated with a network, in a subnet 0:02:44.760000 --> 0:02:49.920000 in particular. Now the NSG, when you define an NSG, you can assign NSGs 0:02:49.920000 --> 0:02:56.460000 in two places. One, I can assign an NSG to a subnet. 0:02:56.460000 --> 0:03:03.080000 I can also assign an NSG to a NIC. 0:03:03.080000 --> 0:03:07.580000 And if you think about this in sort of larger terms, the NSG associated 0:03:07.580000 --> 0:03:12.140000 with the NIC, you can think of as a host control and the NSG that's in 0:03:12.140000 --> 0:03:16.520000 the subnet you can think of as a network control. 0:03:16.520000 --> 0:03:19.780000 And really, that's pretty much the way it works. 0:03:19.780000 --> 0:03:23.480000 I've got this NSG, I define rules within the NSG and then I take it and 0:03:23.480000 --> 0:03:28.980000 I assign it either to a subnet or and or to a NIC. 0:03:28.980000 --> 0:03:31.560000 And a single NSG can be reused. 0:03:31.560000 --> 0:03:38.180000 Now, if you have an NSG that is applied both at the or one NSG at the 0:03:38.180000 --> 0:03:42.120000 subnet level, and let's say you have a different NSG assigned to a specific 0:03:42.120000 --> 0:03:48.120000 NIC, any traffic going to that NIC, whether it is public or private, must 0:03:48.120000 --> 0:03:52.380000 pass both sets of rules for both NSGs. 0:03:52.380000 --> 0:03:56.220000 So that traffic has to be allowed at both the subnet level and the NIC 0:03:56.220000 --> 0:04:01.260000 level. That is the, if you will, most restrictive set of rules. 0:04:01.260000 --> 0:04:05.340000 And that's really how network security groups work. 0:04:05.340000 --> 0:04:09.060000 Now, let's take a look quickly at some of the common ports. 0:04:09.060000 --> 0:04:10.340000 Why do I have this up here? 0:04:10.340000 --> 0:04:12.500000 These are ports you generally should know. 0:04:12.500000 --> 0:04:17.180000 If you're studying for an exam, there are ports I think are minimum requirements 0:04:17.180000 --> 0:04:19.520000 that you would want to know for the exam. 0:04:19.520000 --> 0:04:23.800000 I think most of these are fairly self -explanatory, a couple that may not 0:04:23.800000 --> 0:04:28.780000 be. When RM is Windows Remote Management, if you're setting that up for 0:04:28.780000 --> 0:04:33.620000 your Windows Azure virtual machines, you want to manage them from the 0:04:33.620000 --> 0:04:37.140000 command line remotely, then those ports are going to be what's used. 0:04:37.140000 --> 0:04:42.440000 SMB is the protocol used for Windows file shares. 0:04:42.440000 --> 0:04:45.920000 Everything else again, I think is relatively straightforward. 0:04:45.920000 --> 0:04:51.140000 I will tell you tons of exams love to throw an LDAP there versus RDP, 0:04:51.140000 --> 0:04:54.260000 right? Because it's 3389 versus 389. 0:04:54.260000 --> 0:04:56.860000 I honestly can't say I've ever seen that on a Microsoft exam. 0:04:56.860000 --> 0:05:00.960000 I might have, but I know even some of the security exams you'll see that 0:05:00.960000 --> 0:05:02.180000 just to try and throw you off. 0:05:02.180000 --> 0:05:05.940000 Anyways, just a quick reference, some common ports. 0:05:05.940000 --> 0:05:09.440000 Now I want to talk about a rule definition. 0:05:09.440000 --> 0:05:14.960000 And here I've got a screenshot of a NSG rule definition from the portal. 0:05:14.960000 --> 0:05:23.200000 It's kind of a good way to go through and see what these are made of. 0:05:23.200000 --> 0:05:26.160000 And you have options for the sources and destinations. 0:05:26.160000 --> 0:05:28.520000 As you can see, they can be IP addresses. 0:05:28.520000 --> 0:05:31.120000 They can be service tags. 0:05:31.120000 --> 0:05:33.620000 They can be application security groups. 0:05:33.620000 --> 0:05:35.280000 They can be virtual network. 0:05:35.280000 --> 0:05:40.840000 Virtual network means within the virtual network or it can be any. 0:05:40.840000 --> 0:05:43.900000 Those are the different sources and destinations. 0:05:43.900000 --> 0:05:48.100000 Now, which of these are available for a source or destination depends 0:05:48.100000 --> 0:05:51.300000 on whether it's an incoming rule or an outgoing rule. 0:05:51.300000 --> 0:05:53.580000 And I think that might be the first time I've brought that up there is 0:05:53.580000 --> 0:05:57.180000 a differentiation between incoming and outgoing. 0:05:57.180000 --> 0:06:03.620000 In addition to the source and destination, you are also going to define 0:06:03.620000 --> 0:06:06.840000 ports. And a port can be a single port. 0:06:06.840000 --> 0:06:13.520000 It can be a single port range or it can be multiple entries. 0:06:13.520000 --> 0:06:15.500000 Next is the protocol. 0:06:15.500000 --> 0:06:17.480000 I think that's fairly self-explanatory. 0:06:17.480000 --> 0:06:21.780000 One thing that's pretty interesting, they've recently added ICMP. 0:06:21.780000 --> 0:06:26.620000 And then of course, the action also I think fairly straightforward. 0:06:26.620000 --> 0:06:29.640000 Allow or deny. Now the priority. 0:06:29.640000 --> 0:06:34.280000 Priority is a number between 100 and 4096. 0:06:34.280000 --> 0:06:40.980000 And each rule within an NSG has to have a unique priority number. 0:06:40.980000 --> 0:06:43.360000 I cannot have two rules with the same priority number. 0:06:43.360000 --> 0:06:47.840000 The way it works is that a lower priority number takes precedence over 0:06:47.840000 --> 0:06:49.220000 a higher priority number. 0:06:49.220000 --> 0:06:53.940000 So if I have a priority number with a value of 100, that is going to be 0:06:53.940000 --> 0:07:00.380000 taken over possibly a conflicting rule that has a priority number of 200. 0:07:00.380000 --> 0:07:04.360000 And the last bit here is just kind of standard naming and description. 0:07:04.360000 --> 0:07:08.020000 I think that's relatively self-evident. 0:07:08.020000 --> 0:07:11.120000 That is the set of NSG rules. 0:07:11.120000 --> 0:07:15.680000 Now one of the ways that you can define your source and destination is 0:07:15.680000 --> 0:07:17.180000 through service tags. 0:07:17.180000 --> 0:07:23.060000 The idea of a service tag is to make it easier for you to define a range 0:07:23.060000 --> 0:07:25.700000 of IP addresses. 0:07:25.700000 --> 0:07:29.780000 And it really is all about simplifying the process of defining your IP 0:07:29.780000 --> 0:07:34.260000 address ranges. And so for example, anything going to the internet, there's 0:07:34.260000 --> 0:07:35.420000 a service tag for that. 0:07:35.420000 --> 0:07:39.700000 Anything going within the local network, there's a service tag for that. 0:07:39.700000 --> 0:07:44.080000 I don't have to worry about all of the IP addresses for the internet. 0:07:44.080000 --> 0:07:49.800000 But there's a whole other set of Azure services that also have tags. 0:07:49.800000 --> 0:07:54.500000 So if I want to allow requests specifically to go to storage, there is 0:07:54.500000 --> 0:07:56.440000 a service tag for storage. 0:07:56.440000 --> 0:08:00.320000 And you can see I've got three of them, storage, SQL, load balancer, common 0:08:00.320000 --> 0:08:05.400000 ones. Really there are quite a few more service tags that are available. 0:08:05.400000 --> 0:08:09.600000 And that's important particularly if you're trying to limit to platform 0:08:09.600000 --> 0:08:15.000000 as a service connectivity because those IP addresses could potentially 0:08:15.000000 --> 0:08:17.460000 change going forward. 0:08:17.460000 --> 0:08:22.180000 So having that service tag just guarantees that it's easy to do and it's 0:08:22.180000 --> 0:08:26.900000 always going to stay consistent and correct. 0:08:26.900000 --> 0:08:33.160000 Now, the next thing I think is very, very cool, which is application security 0:08:33.160000 --> 0:08:42.120000 groups. Let's say that you have a fairly complex, never can architecture. 0:08:42.120000 --> 0:08:47.520000 Let's say I've got a couple of virtual networks and just kind of drawing 0:08:47.520000 --> 0:08:53.600000 this out. I've got a whole bunch of virtual machines in these virtual 0:08:53.600000 --> 0:09:03.920000 networks. And most of the rules are going to apply across all of these 0:09:03.920000 --> 0:09:11.500000 machines. And maybe I've got these with a peering connection. 0:09:11.500000 --> 0:09:24.320000 And I might have my standard NSG, which has a rule with no internet. 0:09:24.320000 --> 0:09:26.440000 No incoming internet. 0:09:26.440000 --> 0:09:29.320000 So no inbound rules for the internet. 0:09:29.320000 --> 0:09:34.000000 So inbound internet. 0:09:34.000000 --> 0:09:39.740000 And for almost all of those servers, that is exactly what I want. 0:09:39.740000 --> 0:09:47.720000 However, for two of these servers, they're hosting web applications. 0:09:47.720000 --> 0:09:52.480000 So those two servers, by definition, I need to allow inbound traffic. 0:09:52.480000 --> 0:09:57.180000 Now, of course, I would also have to have a public IP address, right? 0:09:57.180000 --> 0:10:00.020000 Which is, of course, assumed from the standpoint of this. 0:10:00.020000 --> 0:10:01.640000 But how do I do that? 0:10:01.640000 --> 0:10:06.600000 Well, one thing is I could isolate those into their own subnet and put 0:10:06.600000 --> 0:10:11.140000 an NSG in the subnet, but that may not be wholly practical. 0:10:11.140000 --> 0:10:16.080000 Because again, it may be something where maybe over here, I get another 0:10:16.080000 --> 0:10:17.420000 one that's a web app. 0:10:17.420000 --> 0:10:22.120000 What I can do is I can define what's called an application security group. 0:10:22.120000 --> 0:10:25.560000 And an application security group is really just a tag. 0:10:25.560000 --> 0:10:29.000000 Let me say ASG application security group. 0:10:29.000000 --> 0:10:33.260000 And I could say this is a web app. 0:10:33.260000 --> 0:10:39.600000 So I create an application security group. 0:10:39.600000 --> 0:10:41.100000 I call it web app. 0:10:41.100000 --> 0:10:45.880000 No big deal. And I assign it to the Nix for those virtual machines that 0:10:45.880000 --> 0:10:50.840000 are web apps. The reason why that's important is because now I can create 0:10:50.840000 --> 0:10:59.380000 a higher precedent rule in my NSG that would say web app can in fact have 0:10:59.380000 --> 0:11:03.980000 internet traffic. 0:11:03.980000 --> 0:11:09.980000 And so what this does is it allows you to have fairly complex NSGs, but 0:11:09.980000 --> 0:11:14.800000 allows you to take more general NSGs, possibly more restrictive NSGs, 0:11:14.800000 --> 0:11:21.220000 apply them more broadly, and then add exceptions to those based on this 0:11:21.220000 --> 0:11:24.640000 really categorization of different virtual machines. 0:11:24.640000 --> 0:11:27.660000 And that's what I use application security groups for. 0:11:27.660000 --> 0:11:29.660000 It's very easy to implement. 0:11:29.660000 --> 0:11:32.040000 I just define an application security group. 0:11:32.040000 --> 0:11:32.900000 I can do it through the portal. 0:11:32.900000 --> 0:11:36.020000 I can do it through the command line. 0:11:36.020000 --> 0:11:38.920000 I associate that with specific Nix. 0:11:38.920000 --> 0:11:40.240000 And then I create rules for it. 0:11:40.240000 --> 0:11:45.240000 And what I want to do now is I'm going to go ahead and I want to take 0:11:45.240000 --> 0:11:48.760000 a look at applying Azure NSGs. 0:11:48.760000 --> 0:11:54.360000 And I am going to apply these in our demonstration architecture. 0:11:54.360000 --> 0:11:58.140000 And what I'm going to do is I'm going to start out. 0:11:58.140000 --> 0:12:02.180000 Now I already have a peering relationship established between these. 0:12:02.180000 --> 0:12:07.140000 I am going to start out by looking at the NSG that I've got. 0:12:07.140000 --> 0:12:11.900000 I already have an NSG that is assigned to the subnets for the Windows 0:12:11.900000 --> 0:12:14.160000 servers and for the web servers. 0:12:14.160000 --> 0:12:18.300000 And it's actually allowing more traffic than I want through it. 0:12:18.300000 --> 0:12:20.140000 So I'm going to make some modifications to it. 0:12:20.140000 --> 0:12:23.640000 Now before I even go into that, I'll show you the process of creating 0:12:23.640000 --> 0:12:26.120000 an NSG and assigning an NSG. 0:12:26.120000 --> 0:12:30.260000 Those are both somewhat trivial compared to actually configuring it. 0:12:30.260000 --> 0:12:34.340000 And what I'm going to do is I'm going to have a NSG that doesn't allow 0:12:34.340000 --> 0:12:39.240000 any coming traffic at port 80 except I wanted to allow it for the web 0:12:39.240000 --> 0:12:42.580000 servers. But I'm not sure where the web servers are going to be. 0:12:42.580000 --> 0:12:46.540000 So I'm going to create an application security group for my web servers 0:12:46.540000 --> 0:12:49.800000 and then integrate that with my network security group. 0:12:49.800000 --> 0:12:54.700000 So let's go ahead and let's jump into that. 0:12:54.700000 --> 0:13:04.100000 I'm going to start out by taking a look at the topology here. 0:13:04.100000 --> 0:13:08.620000 This is the official topology, love this thing. 0:13:08.620000 --> 0:13:11.880000 And I'm going to zoom in a bit. 0:13:11.880000 --> 0:13:16.660000 And here I've got my default subnet of web server and my default subnet 0:13:16.660000 --> 0:13:21.820000 of WinServer. And both of these are associated with this basic NSG. 0:13:21.820000 --> 0:13:25.200000 So we can see that I've diagram this out. 0:13:25.200000 --> 0:13:28.840000 I've got my WinServer in default. 0:13:28.840000 --> 0:13:31.020000 That's tied to this basic NSG. 0:13:31.020000 --> 0:13:34.360000 My web server in default also tied to the basic NSG. 0:13:34.360000 --> 0:13:38.660000 The reason I will tell you that I have this is because if you want to 0:13:38.660000 --> 0:13:44.500000 have public access to a standard public IP address, you have to have an 0:13:44.500000 --> 0:13:46.200000 NSG to allow it. 0:13:46.200000 --> 0:13:49.660000 So I have that tied in just for simplicity of you. 0:13:49.660000 --> 0:13:54.100000 So I'm going to actually make that a little bit better because it's really 0:13:54.100000 --> 0:13:58.100000 far to what you might call promiscuous right now. 0:13:58.100000 --> 0:14:02.160000 Let's do many things through for my liking. 0:14:02.160000 --> 0:14:06.540000 All right, let's go ahead and let's add a zoom there. 0:14:06.540000 --> 0:14:10.920000 Let's go back and let's create first just so you see the process. 0:14:10.920000 --> 0:14:14.760000 I'm going to go ahead and create a network security group, not much to 0:14:14.760000 --> 0:14:23.260000 that. Not actually even going to create it because there's really not 0:14:23.260000 --> 0:14:25.360000 that much to do here. 0:14:25.360000 --> 0:14:27.240000 This is bare minimum. 0:14:27.240000 --> 0:14:31.160000 I give it a name, put it in resource group, and I give it some instance 0:14:31.160000 --> 0:14:36.920000 details. The name of the subscription, resource group, name, and region. 0:14:36.920000 --> 0:14:43.140000 Very simple. So not really super worth going into, but if I go back to 0:14:43.140000 --> 0:14:50.060000 the topology, I can use that to navigate to my actual basic NSG. 0:14:50.060000 --> 0:14:53.000000 So let's take a look at this. 0:14:53.000000 --> 0:14:56.260000 All right, here's an NSG network security group. 0:14:56.260000 --> 0:15:01.900000 And it has, at the key, I've got inbound security rules, outbound security 0:15:01.900000 --> 0:15:07.480000 rules. I can see the network interfaces that are associated with this. 0:15:07.480000 --> 0:15:10.540000 Also, I can associate network interfaces with it. 0:15:10.540000 --> 0:15:12.100000 I can also see the subnet. 0:15:12.100000 --> 0:15:16.040000 And I can see that this is associated with two subnets, one from my web 0:15:16.040000 --> 0:15:18.300000 servers, one from my win servers. 0:15:18.300000 --> 0:15:22.760000 Now, if I go back to the inbound security rules, you'll see that I have 0:15:22.760000 --> 0:15:27.920000 four rules. Notice that three of those rules start at 65,000. 0:15:27.920000 --> 0:15:31.160000 And if you were paying attention earlier, you notice that that is larger 0:15:31.160000 --> 0:15:34.060000 than the highest number you can assign for priority. 0:15:34.060000 --> 0:15:37.600000 That is because these are the system inbound security rules. 0:15:37.600000 --> 0:15:39.300000 And you want to know what these are. 0:15:39.300000 --> 0:15:43.220000 The highest number, in other words, the lowest priority, that can be a 0:15:43.220000 --> 0:15:45.500000 little confusing, is denial. 0:15:45.500000 --> 0:15:49.980000 What that means is, if no other rules apply, then the traffic is going 0:15:49.980000 --> 0:15:55.420000 to be denied. I have two rules that allow some incoming traffic. 0:15:55.420000 --> 0:15:57.160000 One is load balancer. 0:15:57.160000 --> 0:15:59.840000 And do not be misled by this. 0:15:59.840000 --> 0:16:02.720000 That is only for the health probe of the load balancer. 0:16:02.720000 --> 0:16:05.860000 It doesn't mean if I've got incoming traffic from the internet, I just 0:16:05.860000 --> 0:16:07.500000 have this and it will allow it. 0:16:07.500000 --> 0:16:10.680000 That is very specifically for the load balancer itself. 0:16:10.680000 --> 0:16:12.580000 And then allow vnet inbound. 0:16:12.580000 --> 0:16:15.620000 So that would be anything within the virtual network. 0:16:15.620000 --> 0:16:17.980000 It's allowing all internal virtual network traffic. 0:16:17.980000 --> 0:16:22.240000 Any other inbound requests are going to be denied, except I have this 0:16:22.240000 --> 0:16:25.640000 priority 100, which is poorly named, RDP. 0:16:25.640000 --> 0:16:30.040000 This is my generic one that allows all the ports I need for demonstration. 0:16:30.040000 --> 0:16:32.100000 I would never do this in production. 0:16:32.100000 --> 0:16:34.920000 In fact, you can see that it's got the little warning sign telling me 0:16:34.920000 --> 0:16:36.580000 this is a very bad idea. 0:16:36.580000 --> 0:16:41.340000 But this is allowing ports 3389, which would be RDP for Windows, port 0:16:41.340000 --> 0:16:46.840000 22, which is SSH, and port 80, which is simple HTTP. 0:16:46.840000 --> 0:16:49.080000 And this is allowing any of that traffic. 0:16:49.080000 --> 0:16:52.920000 It's essentially opening that wide up, probably three most common ports 0:16:52.920000 --> 0:17:00.980000 in the world. What I'm going to do is I'm going to delete that. 0:17:00.980000 --> 0:17:08.540000 Because I don't want to have my communications that wide open. 0:17:08.540000 --> 0:17:13.560000 And now while that's deleting, go back to my topology for a minute. 0:17:13.560000 --> 0:17:19.700000 And I want to take a look at my Nix for my web servers. 0:17:19.700000 --> 0:17:30.600000 I'm going to go into my Nix. 0:17:30.600000 --> 0:17:35.120000 And I can assign Nix to a network security group. 0:17:35.120000 --> 0:17:37.180000 So I could do that here. 0:17:37.180000 --> 0:17:38.920000 That's not really what I want. 0:17:38.920000 --> 0:17:42.860000 I'm actually going to do something that's a little more slick. 0:17:42.860000 --> 0:17:47.500000 I'm going to go to my web servers themselves. 0:17:47.500000 --> 0:17:52.080000 Now I can do this from the command line as well. 0:17:52.080000 --> 0:17:56.840000 I'm going to go into networking. 0:17:56.840000 --> 0:18:01.780000 And over here, notice where it says application security groups. 0:18:01.780000 --> 0:18:06.120000 I've got inbound port rules, outbound port rules, application security 0:18:06.120000 --> 0:18:09.120000 group rules. And load balancing, which I'm not going to do anything with. 0:18:09.120000 --> 0:18:14.760000 But what I do want to do is configure the application security groups. 0:18:14.760000 --> 0:18:22.180000 And I go here and it doesn't have any application security groups. 0:18:22.180000 --> 0:18:27.560000 So if I try that, not getting it. 0:18:27.560000 --> 0:18:32.680000 What that means is I actually need to create an application security group 0:18:32.680000 --> 0:18:35.700000 first. I'll go in here. 0:18:35.700000 --> 0:18:44.100000 Application security group. 0:18:44.100000 --> 0:18:50.280000 And create. So I looked first at the Nix and I couldn't assign it at the 0:18:50.280000 --> 0:18:53.400000 Nix. I looked at the virtual machine. 0:18:53.400000 --> 0:18:56.460000 I could assign it at the virtual machine, but it needed to pre-exist. 0:18:56.460000 --> 0:18:59.880000 That's always something interesting with the portal, whether you can go 0:18:59.880000 --> 0:19:01.980000 in and sometimes you can create things right there. 0:19:01.980000 --> 0:19:04.580000 Sometimes they already have to exist and you can only assign them. 0:19:04.580000 --> 0:19:08.040000 In this case, I have to create and then assign. 0:19:08.040000 --> 0:19:09.700000 I'm going to go to O1 tasks. 0:19:09.700000 --> 0:19:11.860000 It's really very straightforward. 0:19:11.860000 --> 0:19:16.400000 It's just web apps. 0:19:16.400000 --> 0:19:17.560000 That in the east. 0:19:17.560000 --> 0:19:23.280000 And create that application security group. 0:19:23.280000 --> 0:19:28.900000 And almost forgot to hit create. 0:19:28.900000 --> 0:19:31.680000 And that's going to go ahead and create it. 0:19:31.680000 --> 0:19:36.120000 I'm going to go back to my topology. 0:19:36.120000 --> 0:19:43.780000 I'm going to wait for that to finish. 0:19:43.780000 --> 0:19:52.160000 And once that finishes, I will go ahead and assign it to my web servers. 0:19:52.160000 --> 0:19:57.340000 Okay. My application security group has been created. 0:19:57.340000 --> 0:20:03.980000 So now if I go back to my web server and I go to networking. 0:20:03.980000 --> 0:20:08.880000 And I go to application security groups. 0:20:08.880000 --> 0:20:17.600000 Configure it. And there we go. 0:20:17.600000 --> 0:20:20.220000 And that's all I need to do for that. 0:20:20.220000 --> 0:20:26.480000 And while that is configuring, we'll go ahead to web server one and do 0:20:26.480000 --> 0:20:35.680000 the same thing. Now in this case, these happen to be in the same subnet, 0:20:35.680000 --> 0:20:37.460000 but they don't have to be. 0:20:37.460000 --> 0:20:41.800000 This is just really, like I said, a label that I'm applying. 0:20:41.800000 --> 0:20:44.140000 So I have this application security group that I've created. 0:20:44.140000 --> 0:20:50.040000 I have these two really nicks that I've associated the application service 0:20:50.040000 --> 0:20:55.900000 group with. And now what I want to do is I want to go ahead and update 0:20:55.900000 --> 0:21:01.400000 the rules. And I can actually do this directly from here. 0:21:01.400000 --> 0:21:02.660000 But let's go back. 0:21:02.660000 --> 0:21:05.440000 Let's do this a little more formally so it's not confusing. 0:21:05.440000 --> 0:21:11.200000 I'm going to go back to the NSG where I've removed that very broad inbound 0:21:11.200000 --> 0:21:15.360000 security role. And I'm going to add a new inbound security role. 0:21:15.360000 --> 0:21:20.260000 Now source for inbound. 0:21:20.260000 --> 0:21:25.960000 I've got any, obviously, a set of IP addresses, a service tag or an application 0:21:25.960000 --> 0:21:30.020000 security group. I'm going to click on service tag. 0:21:30.020000 --> 0:21:34.340000 And what you can see are I've got kind of your very broad service tags, 0:21:34.340000 --> 0:21:36.480000 internet, virtual network, azure load balancer. 0:21:36.480000 --> 0:21:46.180000 But then I've got all of these azure services broken out fairly detailed. 0:21:46.180000 --> 0:21:49.240000 Unfortunately, not fully alphabetized. 0:21:49.240000 --> 0:21:53.940000 So you can be very granular in the way that you assign service tags. 0:21:53.940000 --> 0:21:55.640000 But that's not what I want to do. 0:21:55.640000 --> 0:21:59.000000 I want to assign an application security group. 0:21:59.000000 --> 0:22:01.960000 And it's going to be web apps. 0:22:01.960000 --> 0:22:06.140000 And the source port ranges come from any port. 0:22:06.140000 --> 0:22:07.940000 So the source is web apps. 0:22:07.940000 --> 0:22:11.520000 Destination, I should have that virtual network. 0:22:11.520000 --> 0:22:14.240000 We're going to be lazy, keep it any. 0:22:14.240000 --> 0:22:16.160000 And I'm going to say port 80. 0:22:16.160000 --> 0:22:18.880000 I'm going to give it a priority of 100. 0:22:18.880000 --> 0:22:22.560000 And I'm going to say HTTP. 0:22:22.560000 --> 0:22:29.680000 Web apps. And I should give it a description, but I'm not going to. 0:22:29.680000 --> 0:22:32.240000 Now, I'm going to add that. 0:22:32.240000 --> 0:22:35.260000 And I'm going to wait a couple of minutes because it does take a couple 0:22:35.260000 --> 0:22:38.460000 of minutes typically for that to propagate. 0:22:38.460000 --> 0:22:41.760000 We'll wait for it, we'll come back, and we'll test it out. 0:22:41.760000 --> 0:22:50.060000 All right, one of the really cool things about the portal is it kind of 0:22:50.060000 --> 0:22:52.560000 lets you see what you're doing. 0:22:52.560000 --> 0:22:57.660000 And as I look at the portal, I realize I made a very basic mistake. 0:22:57.660000 --> 0:23:01.620000 And that is on my inbound rules, I kind of got my source and destination 0:23:01.620000 --> 0:23:06.480000 flipped. And as it turns out, that's not going to work. 0:23:06.480000 --> 0:23:09.700000 So let's go ahead and luckily I can fix that. 0:23:09.700000 --> 0:23:14.960000 I'm simply going in and let's see, go in there, there we go, click it. 0:23:14.960000 --> 0:23:16.580000 And let's fix this. 0:23:16.580000 --> 0:23:19.740000 The source, I'm going to actually set to any. 0:23:19.740000 --> 0:23:22.220000 Now, I could set it to the internet, but we're just going to allow any 0:23:22.220000 --> 0:23:26.360000 traffic that's coming in from any source port range. 0:23:26.360000 --> 0:23:30.840000 Now, it's on the destination that I use the application security group. 0:23:30.840000 --> 0:23:35.540000 And the application security group that I'm going to use is web apps. 0:23:35.540000 --> 0:23:38.480000 Everything else is fine. 0:23:38.480000 --> 0:23:44.020000 So I'm going to save this, and now I'll wait for the proper NSG rule to 0:23:44.020000 --> 0:23:51.080000 propagate. All right. 0:23:51.080000 --> 0:23:57.260000 Let's see if my web app destination is going to prove successful. 0:23:57.260000 --> 0:24:03.320000 I'm going to pop over to my topology again, just as a way of navigating. 0:24:03.320000 --> 0:24:07.460000 I'm going to go to my web server and I'm going to pick up the public IP 0:24:07.460000 --> 0:24:12.380000 address of the web server. 0:24:12.380000 --> 0:24:14.380000 And paste and go. 0:24:14.380000 --> 0:24:20.180000 There we go. I just had to give up on it. 0:24:20.180000 --> 0:24:20.760000 And there you go. 0:24:20.760000 --> 0:24:25.520000 There is the completely underwhelming response, but that is the name of 0:24:25.520000 --> 0:24:27.440000 the server that's hosting this web page. 0:24:27.440000 --> 0:24:31.940000 That is the extent of the very sophisticated web app that's running on 0:24:31.940000 --> 0:24:35.000000 it. Again, not something necessarily great for production, but pretty 0:24:35.000000 --> 0:24:37.000000 useful for demonstration. 0:24:37.000000 --> 0:24:47.120000 So I'm now able to get in via HTTP to my web app, but the NSG that I'm 0:24:47.120000 --> 0:24:51.920000 using is far more controlled. 0:24:51.920000 --> 0:24:57.380000 It's far more granular and not perfect by any stretch because it's a demo, 0:24:57.380000 --> 0:25:00.480000 but it definitely is more secure than it otherwise was.