Azure Network Security Rule
This page shows how to write Terraform and Azure Resource Manager for Network Security Rule and write them securely.
azurerm_network_security_rule (Terraform)
The Security Rule in Network can be configured in Terraform with the resource name azurerm_network_security_rule
. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_network_security_rule" "example1" {
name = "Web80"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "example1" {
name = "Web80"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "Allow_3389_bstn" {
name = "Allow_3389_bstn"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "TCP"
resource "azurerm_network_security_rule" "rule_ssh" {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "AllowHttpsInbound" {
name = "AllowHttpsInbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "example" {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "controller_9200" {
name = "allow_9200"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "AzureSecurityRuleSSH" {
name = "SSH"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
resource "azurerm_network_security_rule" "AllowHttpsInbound" {
name = "AllowHttpsInbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
Security Best Practices for azurerm_network_security_rule
There are 4 settings in azurerm_network_security_rule that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
Ensure to disable RDP port from internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
Ensure to set a more restrictive CIDR range for egress from the Internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
Parameters
-
access
required - string -
description
optional - string -
destination_address_prefix
optional - string -
destination_address_prefixes
optional - set of string -
destination_application_security_group_ids
optional - set of string -
destination_port_range
optional - string -
destination_port_ranges
optional - set of string -
direction
required - string -
id
optional computed - string -
name
required - string -
network_security_group_name
required - string -
priority
required - number -
protocol
required - string -
resource_group_name
required - string -
source_address_prefix
optional - string -
source_address_prefixes
optional - set of string -
source_application_security_group_ids
optional - set of string -
source_port_range
optional - string -
source_port_ranges
optional - set of string -
timeouts
single block
Explanation in Terraform Registry
Manages a Network Security Rule.
NOTE on Network Security Groups and Network Security Rules: Terraform currently provides both a standalone Network Security Rule resource, and allows for Network Security Rules to be defined in-line within the Network Security Group resource. At this time you cannot use a Network Security Group with in-line Network Security Rules in conjunction with any Network Security Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/networkSecurityGroups/securityRules (Azure Resource Manager)
The networkSecurityGroups/securityRules in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/networkSecurityGroups/securityRules
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
name
required - stringtype
required - stringapiVersion
required - stringproperties
requireddescription
optional - stringA description for this rule. Restricted to 140 chars.
protocol
required - stringNetwork protocol this rule applies to.
sourcePortRange
optional - stringThe source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
destinationPortRange
optional - stringThe destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
sourceAddressPrefix
optional - stringThe CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.
sourceAddressPrefixes
optional - arrayThe CIDR or source IP ranges.
sourceApplicationSecurityGroups
optional arrayid
required - stringResource ID.
destinationAddressPrefix
optional - stringThe destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.
destinationAddressPrefixes
optional - arrayThe destination address prefixes. CIDR or destination IP ranges.
destinationApplicationSecurityGroups
optional arrayid
required - stringResource ID.
sourcePortRanges
optional - arrayThe source port ranges.
destinationPortRanges
optional - arrayThe destination port ranges.
access
required - stringThe network traffic is allowed or denied.
priority
required - integerThe priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
direction
required - stringThe direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.
Frequently asked questions
What is Azure Network Security Rule?
Azure Network Security Rule is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Security Rule?
For Terraform, the ArsNQ/Terraform_Azure, arun14kn/terraform-nsg-create and shivu999/aishu-remote source code examples are useful. See the Terraform Example section for further details.