Since Azure introduced their new Azure Resource Manager (ARM) deployment model, i have seen their Network Security Group (NSG) feature evolve to be very good and similar to a normal web GUI of a firewall device page used to configure the rules.

While working on an IT transformation project for a client in the UK where we are migrating their IaaS (Infrastructure as a Service) hosting from on premise DC to Azure, we hit upon a simple question which is generally asked by most Network support teams.

Can you please configure Azure NSG to allow ICMP traffic into the subnet?

We searched Microsoft Azure (official and unofficial) documentations, had asked  the Microsoft Support Engineers and have not got a valid response from them.   We decided to search the World Wide Web (www) for a possible answer and hit upon this blog which was hidden from normal search results which was posted by Thomas (Thanks a lot Thomas, you saved us…)

Azure Quick Tip: Block or Allow ICMP using Network Security Groups

We are set to test this over this weekend.  I am posting the most relevant content (the code taken as-is without any damage to IP and copyrights)


Now how can we block all traffic but allow ICMP? Simple, by explicitly denying UDP and TCP but allowing *. In this example I included the allow rule, but it should be covered by the default rules anyhow.

#allow ping, block UDP/TCP

 Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockTCP -Type Inbound -Priority 40000 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "TCP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockUDP -Type Inbound -Priority 40001 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "UDP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-Azure

If we want to work the other way round: allow UDP/TCP but block ICMP we can turn the logic around:

 

The source/destination information is pretty open as I use * for those, but that’s just an example here. It’s up to you to decide for which ranges to apply this. And you might probably open up some additional ports for actual traffic to be allowed.

The current NSG rules only allow for protocols ‘TCP’ or ‘UDP’. There is not a specific tag for ‘ICMP’. However, ICMP traffic is allowed within a Virtual Network by default through the Inbound VNet rules that allow traffic from/to any port and protocol ‘*’ within the VNet.

#block ping, allow UDP/TCP Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowTCP -Type Inbound -Priority 40000 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “TCP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowUDP -Type Inbound -Priority 40001 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “UDP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name BlockPing -Type Inbound -Priority 40002 -Action Deny -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “*”

Again, we are really thankful for this post which has documented and a colleague of Thomas who has verified the same providing us to implement and confirm….We are waiting for an approval from the Change Management team to implement and provide a response.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Bitnami