Overview The following guide assumes that the user has basic knowledge of using Windows. Although some familiarity with PowerShell scripting and the Azure Portal would be beneficial, it is absolutely not necessary, as the scripts are being provided in their entirety and screenshots are shown as of where and how… Continue Reading EXPRESSROUTE PROVISIONING GUIDE

Pre-requisites The following prerequisites must be met, before performing the Core capacity check steps. Internet connection Valid Azure Subscription The person who will perform the below steps must have one of the following roles in the Azure subscription Owner Contributor Some familiarity with the Azure Portal would be beneficial, although… Continue Reading Create Windows Server 2003 Custom VHD for Azure VM Creation

The following guide assumes that the user has basic knowledge of using Windows. Although some familiarity with PowerShell scripting and the Azure Portal would be beneficial, it is absolutely not necessary, as the scripts are being provided in their entirety and screenshots are shown as of where and how to… Continue Reading Check Core Capacity for an Azure Subscription

Since Azure introduced their new Azure Resource Manager (ARM) deployment model, i have seen their Network Security Group (NSG) feature evolve to be very good and similar to a normal web GUI of a firewall device page used to configure the rules.

While working on an IT transformation project for a client in the UK where we are migrating their IaaS (Infrastructure as a Service) hosting from on premise DC to Azure, we hit upon a simple question which is generally asked by most Network support teams.

Can you please configure Azure NSG to allow ICMP traffic into the subnet?

We searched Microsoft Azure (official and unofficial) documentations, had asked  the Microsoft Support Engineers and have not got a valid response from them.   We decided to search the World Wide Web (www) for a possible answer and hit upon this blog which was hidden from normal search results which was posted by Thomas (Thanks a lot Thomas, you saved us…)

Azure Quick Tip: Block or Allow ICMP using Network Security Groups

We are set to test this over this weekend.  I am posting the most relevant content (the code taken as-is without any damage to IP and copyrights)


Now how can we block all traffic but allow ICMP? Simple, by explicitly denying UDP and TCP but allowing *. In this example I included the allow rule, but it should be covered by the default rules anyhow.

#allow ping, block UDP/TCP

 Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockTCP -Type Inbound -Priority 40000 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "TCP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-AzureNetworkSecurityRule -Name BlockUDP -Type Inbound -Priority 40001 -Action Deny -SourceAddressPrefix "*"  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol "UDP"

Get-AzureNetworkSecurityGroup -name "NSG-1" | Set-Azure

If we want to work the other way round: allow UDP/TCP but block ICMP we can turn the logic around:

 

The source/destination information is pretty open as I use * for those, but that’s just an example here. It’s up to you to decide for which ranges to apply this. And you might probably open up some additional ports for actual traffic to be allowed.

The current NSG rules only allow for protocols ‘TCP’ or ‘UDP’. There is not a specific tag for ‘ICMP’. However, ICMP traffic is allowed within a Virtual Network by default through the Inbound VNet rules that allow traffic from/to any port and protocol ‘*’ within the VNet.

#block ping, allow UDP/TCP Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowTCP -Type Inbound -Priority 40000 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “TCP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name AllowUDP -Type Inbound -Priority 40001 -Action Allow -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “UDP” Get-AzureNetworkSecurityGroup -name “NSG-1” | Set-AzureNetworkSecurityRule -Name BlockPing -Type Inbound -Priority 40002 -Action Deny -SourceAddressPrefix “*”  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange ‘*’ -Protocol “*”

Again, we are really thankful for this post which has documented and a colleague of Thomas who has verified the same providing us to implement and confirm….We are waiting for an approval from the Change Management team to implement and provide a response.

 

 

 

Bitnami