October 18, 2017
We recently came across a client who wished to secure some of their Azure VMs by white listing IP addresses. After clicking around, we decided to share what we found.
This is a much easier task to accomplish when setting up the machine in the first place (which we’ll also step through below) but what happens once you’ve deployed a machine and need to set this firewall once everything is in production? Let’s also go ahead and make the assumption that you, like me, don’t remember the name of the security group you probably quickly clicked through when setting up the VM in the first place…
In the Azure portal – navigate to the blade containing the information on the virtual machine you wish to configure and select the virtual network that contains the VM (you could presumably navigate right to the VNET itself, but again, let’s assume you don’t have that information readily available).
Once you are inside the virtual network, you will need to select the device you wish to alter (yes, I know you just came FROM the device… select it again).
Now that you are inside of the device management in the VNET you can select the network security group that is managing access to this device. If you did not make changes during the initial deployment of this VM, it will be named similar to the virtual machine with a ‘-nsg’ suffix.
Once inside of the Network security group, you can manage the “Inbound Security Rules”.
Add a new rule …
Change the “Source” drop down to indicate that you wish to control via IP Address… and change the Source IP address range (this can be a comma separated list of multiple IP addresses if you need to clear multiple locations). Lastly, identify the Source and Destination port range you wish to clear for this IP range.
Click save and allow it a few minutes to configure the network security group. The list of Inbound Security Rules should automatically refresh when configured to display your new, cleared IP address for access.
Voila, you’re all set.
Of course, if you knew of this requirement up front you always could have just done this process when establishing the VM in the first place…
Configuring this setup during the creation of the VM is a much simpler process (of course) and simply requires you to create the new network security group during “Phase 3” of the setup wizard. If you have already configured a network security group previously, you can also utilize an existing group at this stage as well.
Click “Create new” and navigate to the “Advanced” settings. Just like in the previous section, drop the Source to “IP Addresses” and fill out the IP Addresses (comma separated works) and Source and Destination port ranges you wish to clear.
Click save when finished and continue with the deployment of the virtual machine.
It’s easier to define the network security group when you are creating a VM, but sometimes that requirement may not arise until after the machine is already deployed. Further, should IP ranges change or you need to add additional IPs or ports into the firewall, knowing how to navigate from the VM blade to the network security group to manage these settings is a useful thing to know.