1. Securing Azure Public IP with Network Security Groups

    TypeScript

    To secure an Azure Public IP with Network Security Groups (NSGs), we need to perform a few steps:

    1. Create an NSG: Network Security Groups allow us to define a set of security rules that dictate how to allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated with either subnets within a VNet or individual network interfaces attached to VMs.

    2. Define Security Rules: Within the NSG, we define inbound and outbound security rules that enable us to filter traffic based on source and destination IP addresses, ports, and protocols.

    3. Associate NSG with a Public IP: This step usually involves associating an NSG with a subnet or a network interface that is associated with a public IP address.

    Below is a Pulumi TypeScript program that sets this up:

    import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; const resourceGroupName = "myResourceGroup"; // Replace with your resource group name // Create an Azure Resource Group const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupName); // Create an Azure Network Security Group (NSG) const networkSecurityGroup = new azure_native.network.NetworkSecurityGroup("myNsg", { resourceGroupName: resourceGroupName, location: resourceGroup.location, securityRules: [ // Define a security rule (example: Allow HTTP traffic inbound) { name: "AllowHTTPInbound", protocol: azure_native.network.SecurityRuleProtocol.Tcp, direction: azure_native.network.SecurityRuleDirection.Inbound, access: azure_native.network.SecurityRuleAccess.Allow, priority: 100, // Values can range from 100 to 4096 sourceAddressPrefix: "*", // Use CIDR notation or '*' for any source sourcePortRange: "*", // Use '*' to allow any source port destinationAddressPrefix: "*", destinationPortRange: "80", // Port 80 for HTTP }, // Add more rules as needed ], }); // Create a public IP address const publicIp = new azure_native.network.PublicIPAddress("myPublicIp", { resourceGroupName: resourceGroupName, location: resourceGroup.location, publicIPAllocationMethod: azure_native.network.IPAllocationMethod.Dynamic, // or Static }); // Create a Network Interface associated with the Public IP and the NSG const networkInterface = new azure_native.network.NetworkInterface("myNic", { resourceGroupName: resourceGroupName, location: resourceGroup.location, ipConfigurations: [{ name: "myNicIpConfig", subnet: { // Assuming the subnet is already created in a VNet id: "/subscriptions/subId/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet", }, privateIPAllocationMethod: azure_native.network.IPAllocationMethod.Dynamic, publicIPAddress: { id: publicIp.id, // Associate with the public IP we created }, }], networkSecurityGroup: { id: networkSecurityGroup.id, // Associate with the NSG we created }, }); // Export the resulting public IP address for easy access export const publicIpAddress = publicIp.ipAddress;

    In this program, we first create an Azure resource group that will contain our NSG and public IP address. We then define an NSG and create a set of security rules according to our needs. In the example above, we have a simple rule to allow HTTP traffic inbound on port 80. You can add more rules as per your requirements.

    Next, we create a public IP address that will be exposed to the internet. Then, we create a network interface and associate both the public IP address and the NSG to it. This network interface can be attached to a VM or other Azure resource to expose it securely to the internet using our defined rules.

    Lastly, we export the IP address of the newly created public IP so it can be easily accessed without needing to go to the Azure portal.

    Make sure that you replace placeholder values such as the subnet id with the actual values relevant to your setup. The subnet id can be obtained from the Azure portal or through the Azure CLI.