2

I'm having some difficulties when creating a VNET/Subnet. I'm also making use of ASE and for that I can only use a Classic VNET.

Azure offers two types of VNET. Depending on how you create it (via Azure Portal, xplat-cli, old portal, powershell) this VNET can be "Classic" (indicated by the "<...>" icon in blue) or "Resource Manager (indicated by the icon "<...>" in green).

As far I can see, it doesn't seems possible to assign a NSG to a Classic VNET. Does it means that I cannot have a NSG over my ASE (because ASE can only be created ontop of Classic VNETs) ? This doesn't seems right..

Cesar
  • 19
  • 1
  • 6

3 Answers3

1

Assuming you use Powershell, Set-AzureNetworkSecurityGroupToSubnet cmdlet in service management mode will associate a NSG to a subnet.

Update:

PS> Switch-AzureMode AzureServiceManagement
PS> (Get-AzureVNetSite -VNetName "Group vnetnsg vnetnsg").Subnets

Name     AddressPrefix ExtensionData
----     ------------- -------------
default  10.0.0.0/24
subnet-1 10.0.1.0/24

PS> New-AzureNetworkSecurityGroup -Name "NsgOnSubnet" -Location "West Europe"

Name        Location    Label
----        --------    -----
NsgOnSubnet West Europe

PS> Set-AzureNetworkSecurityGroupToSubnet -Name NsgOnSubnet -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"
PS> Get-AzureNetworkSecurityGroupAssociation -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"

Name        Location    Label
----        --------    -----
NsgOnSubnet West Europe
MrBink
  • 740
  • 5
  • 17
  • That command only works if the VNET is a "Resource Manager". In my case, I need to associate a NSG to a subnet which the VNET was created as "Classic". – Cesar Sep 11 '15 at 08:00
  • See update for example in service management, i.e. "classic" VNets. Provide the commands you're running if you're unable to associate a NSG to a subnet in a VNet. – MrBink Sep 11 '15 at 08:27
  • Using the given powershell cmdlets it works! This seems to be the only possible way to setup it now (using powershell)..NSG options are only available via Portal when the VNET is created as "Classic". I wonder if this is still under development by Microsoft..I have to use multiple ways to configure Azure in order to get my environment working. Some functions are specific for powershell, xplat-cli, old azure portal or preview azure portal..Which is bad :/ Thx, MrBink. – Cesar Sep 11 '15 at 09:13
  • The portals are definitely in a state of flux. Currently, the CLI clients, i.e. Azure PowerShell and xplat-cli, offer the most consistent experience and the full capabilities of Azure despite the disparities between ASM and ARM modes. I would recommend spending some time learning the CLI tools -- it'll pay dividends when you start automating the environment. – MrBink Sep 11 '15 at 10:29
1

This Microsoft article explains where NSGs can be applied in both Classic and ARM deployment methods, and neither specify the entire VNet; the closest option you have is the Subnet, which ought to provide the same functionality; even if you have to apply the same NSG to multiple subnets, if you have more than one.

If you want to block traffic between VMs in the same subnet, you'd need to apply the NSG against the VM (classic) or NIC (ARM).

There's a great ARM template here which shows how to set up NSGs and apply them to subnets. If you wanted to do the same to a NIC, see the below extract (assumes the NSG has already been created):

{
  "apiVersion": "2015-06-15",
  "type": "Microsoft.Network/networkInterfaces",
  "name": "nicName",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "yourNICName",
        "properties": {
          "networkSecurityGroup": {
            "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('yourNSGName'))]"
          },
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[variables('yourSubnetRef')]"
          }
        }
      }
    ]
  }
},
AndyHerb
  • 670
  • 9
  • 27
1

For VNET and Network Security Group Created using the Resource Manager Deployment Model

New-AzureRmResourceGroup -Name TestResourceGroup -Location centralus
$frontendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "10.0.1.0/24"

$virtualNetwork = New-AzureRmVirtualNetwork -Name MyVirtualNetwork -ResourceGroupName TestResourceGroup -Location
centralus -AddressPrefix "10.0.0.0/16" -Subnet $frontendSubnet

$rdpRule = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" -Access Allow -Protocol
Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *
-DestinationPortRange 3389

$networkSecurityGroup = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestResourceGroup -Location centralus
-Name "NSG-FrontEnd" -SecurityRules $rdpRule

Set-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -VirtualNetwork $virtualNetwork -AddressPrefix
"10.0.1.0/24" -NetworkSecurityGroup $networkSecurityGroup
$virtualNetwork | Set-AzureRmVirtualNetwork

This example creates a resource group with one virtual network containing just one subnet. It then creates a network security group with an allow rule for RDP traffic. The Set-AzureRmVirtualNetworkSubnetConfig cmdlet is used to modify the in-memory representation of the frontend subnet so that it points to the newly created network security group. The Set-AzureRmVirtualNetwork cmdlet is then called to write the modified state back to the service.

Samir
  • 671
  • 4
  • 15