1. Answers
  2. Creating rule-based controls on Network Security Groups with IP Groups

How Do I Create Rule-Based Controls on Network Security Groups With IP Groups?

Introduction

This guide aims to demonstrate how to implement rule-based controls on Azure Network Security Groups (NSGs) using IP Groups. By defining an IP Group and associating it with an NSG, you can effectively manage access control rules. This approach is particularly beneficial for centralizing the management of security rules for a collection of IP addresses, enhancing both security and administrative efficiency.

Step-by-Step Process

Step 1: Create an IP Group

Begin by creating an IP Group to manage a set of IP addresses. This group will be referenced in your security rules.

Step 2: Create a Network Security Group

Next, set up a Network Security Group to control inbound and outbound traffic. The NSG will use the IP Group to define its security rules.

Step 3: Define Security Rules

Finally, define security rules within the NSG that reference the IP Group. This includes allowing or denying specific types of traffic.

Code Implementation

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";

// Create a Resource Group
const resourceGroup = new azure.resources.ResourceGroup("exampleResourceGroup", {
    location: "WestUS2",
});

// Create an IP Group
const ipGroup = new azure.network.IpGroup("exampleIpGroup", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    ipAddresses: ["192.168.1.0/24", "10.0.0.0/24"],
});

// Create a Network Security Group
const networkSecurityGroup = new azure.network.NetworkSecurityGroup("exampleNSG", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    securityRules: [{
        name: "AllowSSH",
        priority: 100,
        direction: "Inbound",
        access: "Allow",
        protocol: "Tcp",
        sourcePortRange: "*",
        destinationPortRange: "22",
        sourceAddressPrefix: ipGroup.id,
        destinationAddressPrefix: "*",
    }, {
        name: "DenyAllInbound",
        priority: 200,
        direction: "Inbound",
        access: "Deny",
        protocol: "*",
        sourcePortRange: "*",
        destinationPortRange: "*",
        sourceAddressPrefix: "*",
        destinationAddressPrefix: "*",
    }],
});

// Export the IP Group ID and NSG ID
export const ipGroupId = ipGroup.id;
export const nsgId = networkSecurityGroup.id;

Summary

In this guide, we successfully created an IP Group with specified IP address ranges and a Network Security Group containing two security rules. The first rule permits SSH traffic from the IP Group, while the second rule blocks all other inbound traffic. This configuration centralizes IP address management, simplifying the process of managing access controls across your network.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up