Azure Network Security Groups

In this topic:

    This topic describes how to create and modify Network Security Groups for an Azure account in Dome9. The account must be in Manage mode.

    You can create NSGs for each region or resource group in your Azure account.

    Create an Azure Network Security Group (NSG)

    1. In the Dome9 console, navigate to the Security Groups page in Network Security.

    2. Select the Azure account, and then click .

    3. Enter a name and description for the Security Group.

      The new NSG will be created with default rules:

     

    Set an Azure Network Security Group to Manage Mode

    This procedure describes how to set an Azure account in Dome9 to Manage mode. The account must first be onboarded to Dome9.

    In Manage mode, you will be able to manage the Security Groups for the account from Dome9.

    1. On the Dome9 console, navigate to the Cloud Accounts page in Network Security.

    2. Click on the Azure account.

    3. Move the switch to MANAGED.

    4. Click OK to confirm the change.

       

      Note: You can also switch the account back to Read Only. In this mode, you cannot set Security Groups from Dome9.

    Modify an Azure Network Security Group

    You can modify details for an Azure NSG in the Dome9 console. The NSG must be in Manage mode. You can add, remove, or modify rules for the NSG.

    1. Navigate to the Security Groups page in Network Security. A list of your Security Groups, for all your accounts, will be shown.

    2. Click on the Azure NSG of interest in the list.

    3. Click on EDIT MODE.

    4. Click Click to add new rule

    5. Enter details for the rule

      For example, an SSH rule:

      Set the following parameters for the Security Group:

      Service Type - contains a list of predefined services, selecting type will automatically fills most of the required fields.

      Action - Deny or Allow - Type of access to apply if the rule matches.

      Priority-Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.

      Protocol - TCP, UDP, or *

      Destination port range - Destination port range to match for the rule.

      Source scope-Source address prefix or tag to match for the rule.

      Name-Name for the rule.

      For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

    6. When the NSG contains several rules you can drag the new rule and place it between other rules.

      DenyMSSQL before dragging it to another priority:

      DenyMSSQL after the drag to another priority:

      Note - you can also drag + Drag or Click to add new rule between rules to directly create rule at that location.

    7. click Save Changes.

    Apply Tamper Protection to an Azure NSG

    You can apply Tamper Protection to an Azure Security Group. Tamper Protection detects unauthorized changes made to the Security Group (that is, changes not made in Dome9), and rolls them back to the settings you define in Dome9. 

    You can only apply Tamper Protection to Azure NSGs in an account that is Managed.

    1. Navigate to the Security Groups page in Network Security. A list of your Security Groups, for all your accounts, will be shown.

    2. Click on the Azure NSG of interest in the list.

    3. Move the TAMPER PROTECTION switch to ON.Azure-SG-Tamper-Protection.png