Azure Network Security Rule

This page shows how to write Terraform and Azure Resource Manager for Network Security Rule and write them securely.

azurerm_network_security_rule (Terraform)

The Security Rule in Network can be configured in Terraform with the resource name azurerm_network_security_rule. The following sections describe 9 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L11
resource "azurerm_network_security_rule" "example1" {
  name                        = "Web80"
  priority                    = 1001
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
main.tf#L11
resource "azurerm_network_security_rule" "example1" {
  name                        = "Web80"
  priority                    = 1001
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
networksecurityrulenew.tf#L2
resource "azurerm_network_security_rule" "Allow_3389_bstn" {
  name                        = "Allow_3389_bstn"
  priority                    = 101
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "TCP"
main.tf#L12
resource "azurerm_network_security_rule" "rule_ssh" {
  name                        = "SSH"
  priority                    = 1001
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
main.tf#L25
resource "azurerm_network_security_rule" "AllowHttpsInbound" {
  name                        = "AllowHttpsInbound"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
azure_destination_port_range_issue.tf#L8
resource "azurerm_network_security_rule" "example" {
  name                        = "test123"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
nsg.tf#L3
resource "azurerm_network_security_rule" "controller_9200" {
  name                                       = "allow_9200"
  priority                                   = 100
  direction                                  = "Inbound"
  access                                     = "Allow"
  protocol                                   = "Tcp"
resource.azurerm_network_security_rule.AzureSecurityRules.tf#L1
resource "azurerm_network_security_rule" "AzureSecurityRuleSSH" {
  name                        = "SSH"
  priority                    = 300
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
main.tf#L25
resource "azurerm_network_security_rule" "AllowHttpsInbound" {
  name                        = "AllowHttpsInbound"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_network_security_rule

There are 4 settings in azurerm_network_security_rule that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

Ensure to disable RDP port from internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

Ensure to set a more restrictive CIDR range for egress from the Internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

Review your Azure Network settings

You can check if the azurerm_network_security_rule setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages a Network Security Rule.

NOTE on Network Security Groups and Network Security Rules: Terraform currently provides both a standalone Network Security Rule resource, and allows for Network Security Rules to be defined in-line within the Network Security Group resource. At this time you cannot use a Network Security Group with in-line Network Security Rules in conjunction with any Network Security Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/networkSecurityGroups/securityRules (Azure Resource Manager)

The networkSecurityGroups/securityRules in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/networkSecurityGroups/securityRules. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • properties required
      • description optional - string

        A description for this rule. Restricted to 140 chars.

      • protocol required - string

        Network protocol this rule applies to.

      • sourcePortRange optional - string

        The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

      • destinationPortRange optional - string

        The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

      • sourceAddressPrefix optional - string

        The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.

      • sourceAddressPrefixes optional - array

        The CIDR or source IP ranges.

      • sourceApplicationSecurityGroups optional array
          • id required - string

            Resource ID.

      • destinationAddressPrefix optional - string

        The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.

      • destinationAddressPrefixes optional - array

        The destination address prefixes. CIDR or destination IP ranges.

      • destinationApplicationSecurityGroups optional array
          • id required - string

            Resource ID.

      • sourcePortRanges optional - array

        The source port ranges.

      • destinationPortRanges optional - array

        The destination port ranges.

      • access required - string

        The network traffic is allowed or denied.

      • priority required - integer

        The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.

      • direction required - string

        The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

Frequently asked questions

What is Azure Network Security Rule?

Azure Network Security Rule is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Security Rule?

For Terraform, the ArsNQ/Terraform_Azure, arun14kn/terraform-nsg-create and shivu999/aishu-remote source code examples are useful. See the Terraform Example section for further details.