How do I create rule-based controls on Network Security Groups with IP Groups?
In this guide, we will create rule-based controls on Azure Network Security Groups (NSGs) using IP Groups. We will define an IP Group and associate it with a Network Security Group to manage access control rules effectively. This setup is useful for managing security rules for a set of IP addresses centrally.
Key Points
- Create an IP Group to manage a set of IP addresses.
- Create a Network Security Group to control inbound and outbound traffic.
- Define security rules that reference the IP Group.
Code Implementation
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
// Create a Resource Group
const resourceGroup = new azure.resources.ResourceGroup("exampleResourceGroup", {
location: "WestUS2",
});
// Create an IP Group
const ipGroup = new azure.network.IpGroup("exampleIpGroup", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
ipAddresses: ["192.168.1.0/24", "10.0.0.0/24"],
});
// Create a Network Security Group
const networkSecurityGroup = new azure.network.NetworkSecurityGroup("exampleNSG", {
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
securityRules: [{
name: "AllowSSH",
priority: 100,
direction: "Inbound",
access: "Allow",
protocol: "Tcp",
sourcePortRange: "*",
destinationPortRange: "22",
sourceAddressPrefix: ipGroup.id,
destinationAddressPrefix: "*",
}, {
name: "DenyAllInbound",
priority: 200,
direction: "Inbound",
access: "Deny",
protocol: "*",
sourcePortRange: "*",
destinationPortRange: "*",
sourceAddressPrefix: "*",
destinationAddressPrefix: "*",
}],
});
// Export the IP Group ID and NSG ID
export const ipGroupId = ipGroup.id;
export const nsgId = networkSecurityGroup.id;
Summary
In this example, we created an IP Group containing two IP address ranges and a Network Security Group with two security rules. The first rule allows SSH traffic from the defined IP Group, while the second rule denies all other inbound traffic. This setup helps manage access control efficiently by centralizing IP address management in the IP Group.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.