Defining priority-based rules for inbound and outbound traffic.
TypeScriptTo control the flow of inbound and outbound network traffic to your cloud infrastructure, you can use security rules that act as a virtual firewall for your cloud resources. These rules can be defined in terms of priority, with lower numbers having a higher priority, meaning they are processed first.
In this example, we will use Azure's
Network Security Groups
(NSGs) to demonstrate how to define priority-based rules for inbound and outbound traffic. NSGs allow you to create security rules that enable you to control traffic based on several properties like source and destination IP addresses, port number, and protocol.The goal is to create an NSG with a set of rules that define a security policy for your virtual network. For this example, we'll set up a simple configuration:
- An inbound rule that allows HTTP traffic (port 80) from the Internet to your virtual network with a high priority.
- An outbound rule that permits any outbound traffic from your virtual network to the Internet with a lower priority, acting as a catch-all rule.
Let's look at the Pulumi program written in TypeScript that accomplishes this.
import * as azure from "@pulumi/azure-native"; // Create a resource group to contain all our resources const resourceGroup = new azure.resources.ResourceGroup("my-resource-group"); // Create a network security group const networkSecurityGroup = new azure.network.NetworkSecurityGroup("my-nsg", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, securityRules: [ // Inbound security rule for HTTP traffic { name: "allow-http-inbound", priority: 100, // Lower number means higher priority direction: "Inbound", access: "Allow", protocol: "Tcp", sourcePortRange: "*", destinationPortRange: "80", sourceAddressPrefix: "Internet", destinationAddressPrefix: "*", }, // Outbound security rule to allow all outgoing traffic { name: "allow-all-outbound", priority: 300, // Higher number means lower priority direction: "Outbound", access: "Allow", protocol: "Tcp", sourcePortRange: "*", destinationPortRange: "*", sourceAddressPrefix: "*", destinationAddressPrefix: "Internet", }, ], }); // Export the ID of the Network Security Group so we can easily reference it later export const networkSecurityGroupId = networkSecurityGroup.id;
In the code above, we start by creating a new resource group
my-resource-group
which will contain our NSGmy-nsg
. The NSG is then defined with two rules.The first rule
allow-http-inbound
is an inbound rule with a priority of100
. It allows all HTTP traffic (port 80) from the Internet to the virtual network where the NSG will be associated.The second rule
allow-all-outbound
is an outbound rule with a priority of300
. It's configured to allow any traffic from any source inside the virtual network to go out to the Internet.Keep in mind that the rules' priorities must be unique within the NSG. An NSG can have multiple inbound and outbound rules; each rule is processed in ascending priority order. The priority must be a number between
100
and4096
.After defining the rules within the
networkSecurityGroup
, we export its ID so that it can be referenced and used to associate with other resources, such as your Virtual Network subnet, VMs, or other networkable resources.This program is a basic example of how to use Pulumi's Azure provider to define network security groups and design your cloud network's traffic rules. You can extend and customize this configuration to fit your application's security requirements and network design.