The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi
relies on the virtual networking layer to support communications between VMs and their users. In addition, ESXi uses the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so on. vSphere includes the full array of features necessary for a secure networking infrastructure. You can
secure each element of the infrastructure, such as virtual switches, distributed virtual switches, and virtual network adapters, separately. In addition, consider the following guidelines, discussed in more detail in
Securing vSphere Networking. For the list of all supported ports
and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at //ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Virtual switches and distributed virtual switches provide significant protection when used with other common security practices, such as installing firewalls. See
Securing vSphere Networking. Consider VLANs to protect your environment ESXi supports IEEE 802.1q VLANs. VLANs let you segment a physical network.
You can use VLANs to further protect the VM network or storage configuration. When you use VLANS, two VMs on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN. See
Securing Virtual Machines with VLANs. Secure connections to virtualized storage A VM stores operating system files, application files, and other data on a virtual disk. Each virtual disk appears to the VM as a SCSI drive that is connected to a SCSI controller. A
VM is isolated from storage details and cannot access the information about the LUN where its virtual disk resides. The Virtual Machine File System [VMFS] is a distributed file system and volume manager that presents virtual volumes to the
ESXi host. You are responsible for securing the connection to storage. For example, if you are using iSCSI storage, you can set up your environment to use CHAP. If required by company policy, you can set up mutual CHAP. Use the vSphere Client or CLIs to set up CHAP. See Storage Security Best Practices. Evaluate the use of IPSec ESXi
supports IPSec over IPv6. You cannot use IPSec over IPv4. See Internet
Protocol Security.
In this blog, I am going to be summarising how you can secure your Virtual network [vNET] with a combination of Azure Firewall and Network Security Group [NSG] Considerations for this will be that the environment will be a hub-spoke setup, link to test environment of this deployment is found at the bottom of this blog post As part of this deployment, which else will need to be considered? Whenever you create a vNET with multiple subnets; each subnet will automatically be assigned default system routes. Additional system routes cannot be added nor current ones edited but with the creation of a User Defined Routetable [UDR] – will override any default system route with your created UDR.Lets look at these additional considerations
Azure Routing
The default system routes:-
Default | Unique to the virtual network | Virtual network |
Default | 0.0.0.0/0 | Internet |
Default | 10.0.0.0/8 | None |
Default | 172.16.0.0/12 | None |
Default | 192.168.0.0/16 | None |
Default | 100.64.0.0/10 | None |
Next hop…
The next hop represents how Azure routes specific traffic to the destination address, hops above explained:-
- Virtual Network: Traffic destined to an address range within the vNET will be routed within the virtual network.
- Internet: When destination traffic is Internet-bound, the traffic flow will use the default route of 0.0.0.0/0 providing no User Defined Routes are in place or this will be overwritten if a UDR matches.
- None: Traffic being routed to none, Azure will drop the traffic. As shown above, Azure creates these routes for private IP addresses found in RFC 1918 & RFC 6598
Additional reading
How Azure Selects A Route
Azure Custom Routes
Azure Optional Default Routes
Azure Application Security Groups [ASGs] and how they are deployed along with a NSG
ASGs are used within a NSG to apply a network security rule to a specific workload or group of VMs – defined by ASG worked as being the “network object” & expilicit IP addresses are added to this object.
This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process.
Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG – zero distribution to your service!
Additional reading
ASGs & NSGs Simplified
Why deploy both Azure Firewall & NSG?
Azure NSGs complement the Azure Firewall Service. Azure Firewall is a fully stateful, network firewall-as-a-service application that provides network and application level protection from usually a centralised network [Hub-Spoke]
Whereas NSGs are used to provide the required network traffic filtering to limit traffic within a Virtual Network, including on a subnet level. Assigning the NSG to each Virtual Machine rather than Subnet will allow you to restrict network access on a per VM basis
Together they become “one” to provide a “defense in depth” security strategy, in this strategy – you would have the Azure Firewall configured at the perimeter of your network to control inbound/outbound traffic where NSG would been configured to control inbound/outbound traffic within your Virtual Network on a Virtual Machine-level basis
What should I use Azure Firewall for?
Azure Firewall as mentioned should be used as the perimeter protection, any traffic that may need to enter or leave a vNET, whether than be to another vNET via Peering or to the internet, its next hop should be the Azure Firewall.
Apart from firewall rules, what else can the Azure Firewall do?
- Stateful firewall as a service
- Highly availability and cloud scale:- Scales when required, no user interaction needed!
- Policies:- Multiple policies can be created for filtering traffic including outbound HTTP[s] and additional network filtering controls
- FQDN filtering
- Intelligent near real-time security:- Microsoft built-in threat intelligence-based filtering
- DNAT/SNAT configuration
- Centralised logging and analytics:- Fully integrated, built in monitoring
What should I use Network Security Groups for?
As Azure Firewall will be monitoring the perimeter of your network, consider using NSGs for the inter-VM traffic inside your Virtual Network.
You may want to have one NSG per Virtual Network or depending on the requirements and controls you have in place – one NSG per environment can be suffice as well [ rule maximum restriction[s]]
Consider applying the NSG to the Virtual Machine NIC rather than the subnet, this will allow you to restriction inter-VM traffic on a per Virtual Machine level rather than per subnet.
Also use Application Security Groups where possible as well, I have blogged about this previously here
Service endpoint restrictions have also been implemented into NSG deployments – read further here
There is also diagnostic logging that can be enabled to view NSG flow logs and additional network information that can assist in troubleshooting connectivity
How can I see both deployed?
I’ve created a test hub-spoke environment that includes both Azure Firewall and NSG/ASG Integration using PowerShell found here
The test environment will give you an indication into how to configure Azure Firewall / NSG in a hub-spoke environment.
Got additional queries – give me a shout on Twitter or contact me via this blog