Azure Series Part 7: Configure network access to Linux Virtual Machine by using a network security group (NSG) with Azure CLI

A Network security group (NSG) enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall.

An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies these properties:

PropertyDescription
NameA unique name for the NSG.
PriorityA number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers.
Source or DestinationA single IP address or IP address range, service tag, or application security group.
ProtocolTCPUDP, or Any.
DirectionWhether the rule applies to inbound or outbound traffic.
Port RangeA single port or range of ports.
ActionAllow or Deny.

When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You can’t remove the default rules, but you can override them by creating new rules with higher priorities.

Let us get Started!

Firstly we will create Linux VM and install Nginx, a popular web server, on that VM. To make your web server accessible, we will then create a network security group (NSG) rule that allows inbound access on port 80 (HTTP).

Step 1: Create a Linux Virtual Machine using az-create command in azure cli or cloud shell in azure portal

az vm create \
  --resource-group <rg-name> \
  --name thewebspark-vm \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys
az-create command
provisoning of vm successful

Step 2: Configure NGINX web server on your VM

Use the below az vm extension set command

az vm extension set \
  --resource-group <rg-name> \
  --vm-name thewebspark-vm \
  --name customScript \
  --publisher Microsoft.Azure.Extensions \
  --version 2.1 \
  --settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
  --protected-settings '{"commandToExecute": "./configure-nginx.sh"}'

This command uses the Custom Script Extension to run a Bash script on your VM. The script is stored on GitHub.

az vm extension set command to install nginx on VM

Step 3: Run the following az vm list-ip-addresses command to get your VM’s IP address and store the result as a Bash variable

IPADDRESS="$(az vm list-ip-addresses \
  --resource-group <rg-name> \
  --name thewebspark-vm \
  --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
  --output tsv)"
you will get a connection timeout error

The --connect-timeout argument specifies to allow up to five seconds for the connection to occur.

After five seconds, you see an error message that states that the connection timed out

Run echo $IPADDRESS to see your IP address of your VM

IP of your VM

Copy the IP address and open in your browser and you will see an error of site can’t be reached

server is currently down

Step 4: Since our web server running on VM was not accessible let us list current NSG rules associated with the below CLI command

  az network nsg rule list \
  --resource-group <rg-name> \
  --nsg-name thewebspark-vmNSG \
  --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
  --output table

We can see the default rule, default-allow-ssh. This rule allows inbound connections over port 22 (SSH). SSH (Secure Shell) is a protocol that’s used on Linux to allow administrators to access the system remotely.

The priority of this rule is 1000. Rules are processed in priority order, with lower numbers processed before higher numbers.

Step 5: Create a network security rule and add port 80 (HTTP) to it using below CLI command

  az network nsg rule create \
  --resource-group learn-1c2acefd-75f8-4165-8f2e-b456bef28329 \
  --nsg-name thewebspark-vmNSG \
  --name allow-http \
  --protocol tcp \
  --priority 100 \
  --destination-port-range 80 \
  --access Allow
  
add port 80 to nsg

Verify again to check if port 80 was added using nsg list command as used earlier

  az network nsg rule list \
  --resource-group learn-1c2acefd-75f8-4165-8f2e-b456bef28329 \
  --nsg-name thewebspark-vmNSG \
  --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
  --output table
port 80 is added now

Step 6: Try to access your web server again

Use the curl command

curl --connect-timeout 5 http://$IPADDRESS
HTM response coming now

Step 7: Open the IP address in browser now to verify

site is now loading! 🙂

That’s it from this post on Azure.

Stay tuned for more in coming post!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s