Virtual Network (VNet)

Network access

To protect resources inside a VNet, Azure supports network security groups (NSGs) – a stateless mechanism for protecting access to resources, at a virtual machine, subnet, or tagging level. You need to configure both inbound and outbound rules for VNet NSGs.

Best practices

Create subnets according to the resource function (for example, public subnets for web servers, private subnets for database servers, and so on).

  • For remote access protocols (SSH/RDP), limit the source IP address (or CIDR) to well-known sources.

  • For file sharing protocols (CIFS/SMB/FTP), limit the source IP address (or CIDR) to well-known sources.

  • Use NSGs to control access between public resources (such as load balancer or publicly facing web servers) and private resources (such as databases) and limit the access to the minimum required ports/protocols.

  • Set names and descriptions for NSGs to allow a better understanding of any NSG’s purpose.

  • Use tagging (also known as labeling) for NSGs to allow a better understanding of which network security groups belong to which Azure resources.

  • Use application security groups to define access rules at the application layer (for example, rules for allowing inbound HTTP access).

  • Use service tags to configure rules for pre-defined service (for example, Azure Load Balancer), instead of using IP addresses.

  • To allow outbound access from internal resources inside private subnets to destinations on the internet, use Azure Virtual Network NAT (or use a NAT gateway).

  • For large-scale environments with multiple Azure subscriptions, use Azure Firewall to centrally create, enforce, and log network policies across multiple subscriptions.

Monitoring

Azure allows you to monitor network activity using Azure Network Watcher – a service for capturing NSG Flow Logs.

Best practices

  • Enable Azure Network Watcher NSG Flow Logs to log and further analyze allowed and denied traffic activity.

  • If you need to troubleshoot network issues by capturing network traffic, use the Azure Network Watcher packet capture extension to copy live network traffic from a virtual machine to an Azure storage account.

  • For large-scale environments, use Azure Traffic Analytics to locate security threats (such as open ports, application outbound internet traffic, and so on).

  • Use Azure Policy to detect inbound access to resources inside your VNet via unencrypted protocols (such as HTTP instead of HTTPS, or LDAP instead of LDAPS).

For large-scale production environments, enable the Network Watcher packet capture extension only for short periods of time, for troubleshooting purposes only (due to the performance impact on the target VM).

For large-scale production environments, enable NSG Flow Logs only for short periods of time, for troubleshooting purposes only (due to high storage cost and large amounts of data generated by NSG Flow Logs).