How To Restrict Traffic Between Two Azure Subnets
akhilsharmaazuresecuritynetwork

How To Restrict Traffic Between Two Azure Subnets

Restricting traffic between two Azure subnets is an important aspect of securing your Azure virtual network. By using Network Security Groups (NSGs), you can control inbound and outbound traffic to and from your subnets, and ensure that only authorized traffic is allowed to pass. In this blog post, we will discuss how to restrict traffic between two Azure subnets using NSG, including code examples.

The first step in restricting traffic between two Azure subnets is to create two subnets in your virtual network. This can be done through the Azure portal or via Azure PowerShell. To create a subnet via the Azure portal, navigate to the virtual network settings, select "Subnets" and then create a new subnet. To create a subnet via Azure PowerShell, you can use the following command:

New-AzVirtualNetworkSubnetConfig -Name <Subnet-Name> -AddressPrefix <Subnet-CIDR> -VirtualNetwork $vnet

In the above command, replace <Subnet-Name> with the name of the subnet and <Subnet-CIDR> with the CIDR notation of the subnet.

Once the subnets are created, you'll need to create an NSG for each subnet. This can be done through the Azure portal or via Azure PowerShell. To create an NSG via the Azure portal, navigate to the subnet settings, select "Network security group" and then create a new NSG. To create an NSG via Azure PowerShell, you can use the following command:

New-AzNetworkSecurityGroup -Name <NSG-Name> -ResourceGroupName <Resource-Group-Name> -Location <Location>

In the above command, replace <NSG-Name> with the name of the NSG, <Resource-Group-Name> with the name of the resource group and <Location> with the location of the NSG.

Once the NSGs are created, you'll need to create a rule to restrict traffic between the subnets. This can be done by creating a new inbound or outbound security rule in the NSG. To create a rule via the Azure portal, navigate to the NSG settings, select "Inbound security rules" or "Outbound security rules" and then create a new rule. To create a rule via Azure PowerShell, you can use the following command:

New-AzNetworkSecurityRuleConfig -Name <Rule-Name> -Protocol <Protocol> -Direction <Direction> -Priority <Priority> -SourceAddressPrefix <Source-CIDR> -SourcePortRange <Source-Port-Range> -DestinationAddressPrefix <Destination-CIDR> -DestinationPortRange <Destination-Port-Range> -Access <Access> -Description <Description>

In the above command, replace <Rule-Name> with the name of the rule, <Protocol> with the protocol of the rule (TCP, UDP, etc.), <Direction> with the direction of the rule (Inbound or Outbound), <Priority> with the priority of the rule, <Source-CIDR> with the CIDR notation of the source subnet, <Source-Port-Range> with the port range of the source subnet, <Destination-CIDR> with the CIDR notation of the destination subnet, <Destination-Port-Range>with the port range of the destination subnet,<Access>with the access level (Allow or Deny) and<Description> with a description of the rule.

For example, the following command can be used to block all inbound traffic from subnet 1 to subnet 2:

New-AzNetworkSecurityRuleConfig -Name "Block-Traffic-Subnet1-to-Subnet2" -Protocol * -Direction Inbound -Priority 100 -SourceAddressPrefix <Subnet1-CIDR> -SourcePortRange * -DestinationAddressPrefix <Subnet2-CIDR> -DestinationPortRange * -Access Deny -Description "Block all traffic from subnet 1 to subnet 2"

It's important to note that the above rule will block all traffic between the two subnets. If you need to allow specific traffic, you can create additional rules with a higher priority and specific source and destination ports.

You can also create an NSG association to associate an NSG with a subnet, this can be done via the azure portal or Azure PowerShell.

To associate an NSG with a subnet via Azure PowerShell, you can use the following command:

$subnet = Get-AzVirtualNetworkSubnetConfig -Name <subnet-name> -VirtualNetwork $vnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetworkSubnetConfig $subnet -NetworkSecurityGroup $nsg

In the above command, replace <subnet-name> with the name of the subnet, and $vnet and $nsg with the virtual network and NSG objects respectively.

By following these steps, you can restrict traffic between two Azure subnets using NSG. This will help you to secure your virtual network and ensure that only authorized traffic is allowed to pass. It's important to note that NSG rules are processed in order of priority, so it's important to plan accordingly and set the priority of your rules accordingly. Additionally, it's important to test your rules before deploying them to production to ensure that they work as intended.

I hope this helps! Let me know if you have any questions.