Network Security Group

Overview

The Network Security Group builder creates network security groups with rules for securing network access to resources.

  • Network Security Groups (Microsoft.Network/networkSecurityGroups)
  • Security Rules (Microsoft.Network/networkSecurityGroups/securityRules)
  • Application Security Groups (Microsoft.Network/networkSecurityGroups)

Builder Keywords

Applies ToKeywordPurpose
nsgnameSpecifies the name of the network security group
nsgadd_rulesAdds security rules to the network security group
nsginitial_rule_priorityThe priority of the first rule, after which each rule gets an incrementally higher value. Default 100.
nsgpriority_incrThis sets how much priority is increased per each rule. Default 100.
securityRulenameThe name of the security rule
securityRuledescriptionThe description of the security rule
securityRuleservicesThe services port(s) and protocol(s) protected by this security rule
securityRuleadd_sourceSpecify access from any source protocol, address, and port
securityRuleadd_source_anySpecify access from any address and any port
securityRuleadd_source_addressSpecify access from a specific address and any port
securityRuleadd_source_application_security_groupSpecify access from an application security group
securityRuleadd_source_networkSpecify access from a specific network and any port
securityRuleadd_source_tagSpecify access from a tagged source such as “Internet”, “VirtualNetwork”, or “AzureLoadBalancer”
securityRuleadd_destinationSpecify access to any source protocol, address, and port
securityRuleadd_destination_anySpecify access to any address and any port
securityRuleadd_destination_addressSpecify access to a specific address and any port
securityRuleadd_destination_application_security_groupSpecify access to an application security group
securityRuleadd_destination_networkSpecify access from a specific network and any port
securityRuleadd_destination_tagSpecify access to a tagged destination such as “Internet”, “VirtualNetwork”, or “AzureLoadBalancer”
securityRuleallowAllows this traffic (the default)
securityRuledenyDenies this traffic
securityRuledirectionSpecify the direction of traffic controlled by the rule - inbound (the default) or outbound.
securityRulepriorityExplicitly specify the priority of a security rule.
securityRulelink_to_network_security_groupSpecify the nsg when creating a security rule for an existing security group.
applicationSecurityGroupnameName of the Application Security Group.

Basic Example

open Farmer
open Farmer.Builders
open Farmer.NetworkSecurity

// Create a rule for https services accessible from the internet
let httpsAccess = securityRule {
    name "web-servers"
    services [ NetworkService ("https", Port 443us) ]
    add_source_tag TCP "Internet"
    add_destination_any
}
// Create an NSG and add the rule to it.
let myNsg = nsg {
    name "my-nsg"
    add_rules [
        httpsAccess
    ]
}

Multiple Tier Private Network Example

open Farmer
open Farmer.Builders
open Farmer.NetworkSecurity

// Many services have a few ports, such as web services that are often on 80 and 443.
// Some services only have a single port
// Different tiers may reside on different network segments
let corporateNet = "172.24.0.0/20"
let webNet = "10.100.30.0/24"
let appNet = "10.100.31.0/24"
let dbNet = "10.100.32.0/24"

// Create a rule for web servers - the 'web' service, accessible from the corporate network
let webAccess = securityRule {
    name "web-servers"
    description "Public web server access"
    services [
        NetworkService ("http", Port 80us)
        NetworkService ("https", Port 443us)
    ]
    add_source_network TCP corporateNet
    add_destination_network webNet
}

// Create another rule for app servers - accessible only from the network with the web servers
let appAccess= securityRule {
    name "app-servers"
    description "Internal app server access"
    services [ NetworkService ("http", Port 8080us) ]
    add_source_network TCP webNet
    add_destination_network appNet
}

// Create another rule for DB servers - accessible only from the network with the app servers
let dbAccess = securityRule {
    name "db-servers"
    description "Internal database server access"
    services [ NetworkService ("postgres", Port 5432us)]
    add_source_network TCP appNet
    add_destination_network dbNet
}

// Create an NSG and add all 3 rules to it.
let myNsg = nsg {
    name "my-nsg"
    add_rules [
        webAccess
        appAccess
        dbAccess
    ]
}