1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Getting Started with Azure Virtual Machines

Azure Networking: manage security groups and ACLs

Start course

Microsoft Azure is one of the key platforms currently serving the cloud computing market. Since its launch in 2010, it has quickly matured, adding whole categories of critical services, including the flagship "Azure Virtual Machines" - an IaaS computing platform.

In this course, our Azure expert Ganapathi Subramanian will introduce the Azure Virtual Machine service and its features, focusing on Azure Windows and Linux virtual machines using Azure portal and powershell scripts, creating and managing custom Azure virtual machine images, configuring Azure virtual machines for high availability, understanding Azure virtual machine networking features, and configuring Azure virtual machine for monitoring and auto-scaling.

If you're not yet familiar with the platform, you might gain by taking Ganapathi's Introduction to Microsoft Azure before starting this course.

Do you have questions on this course? Contact our cloud experts in our community forum.


In this lecture, we'll cover Azure networking with virtual machines. We'll learn about Azure virtual networks, protecting virtual machines using access controllers and network security groups.

When Azure virtual machines are created, by default the Azure platforms assigns a public IP, which is accessible over the internet and a private IP, which is visible and accessible within Azure. These IPs are assigned randomly by the Azure platform. All resources created in Azure are by default internet resources and are accessible from the internet.

For certain types of applications, it might be required to isolate your virtual machines and deploy them within a specific IP segment to protect them from external access. Azure virtual networks can be used to define an IP segment, which is isolated from the rest of Azure resources. Such segments can be further partitioned into subnets based on application requirements.

For example, you can define a single virtual network for an application and have multiple subnets, which represent the various tiers of the application. Azure also supports virtual private networks, VPNs, which can be leveraged to securely connect Azure to on premise data centers. In this section, we'll focus on creating cloud only virtual networks without any VPN elements.

Understand how to configure Azure Security Groups

Network security groups, NSGs, and access control lists, ACLs, can be used to protect VMs by allowing or denying traffic into or out of a virtual machine. An NSG is applied at a virtual network level and can also be applied at a subnet or a virtual machince level. NSG rules can be defined to allow or deny inbound or outbound traffic to IPs, ports, etc.

In a multi-tiered distributed scenario, NSGs can be used to control traffic at each tier. NSGs can be configured using only PowerShell scripts. ACLs are applied at the virtual machine end point level to control inbound traffic to virtual machines. ACLs can be configured using the portal. ACLs can be used in a non-virtual network scenario. In a virtual network scenario, NSGs are used to configure traffic rules. It's not recommended to combine ACLs with NSGs.

IPs assigned to Azure virtual machines are not guaranteed to survive virtual machine restarts. When virtual machines are restarted as you might assign a different IP. This might be a problem in cases where the virtual machine IPs needs to be persistent across restarts. Azures reserved IP features can be used to assign a persistent IP to the virtual machine.

Reserved IPs are fee based and there's a limit of five reserved IPs per subscription. Let's demonstrate creating a virtual network provisioning a virtual network within the virtual network and configuring an access control list and network security group for a virtual network.

Let's first create a Azure virtual network by selecting "Networks" and then clicking on the "New" button in the Azure portal. Click on "Network," "Virtual Network" and "Custom Create." In the resulting virtual network details screen, give a name to the virtual network and select a location from a drop down list. In the next screen, DNS servers and VPN connectivity leave the settings as default as we're not configuring the virtual private network in this demo. Click "Next" to go to the next screen. In the next virtual network address spaces screen, define the address space and subnet for the virtual network.

Click the "Complete" button to finish the virtual network setup process. Once provisioned, virtual machines can be created within the virtual network. While creating the virtual machine, select the virtual network we have just created. In the Region affinity, group virtual network drop down list.

Configure Azure ACLs

Now let's configure the Azure ACL for the virtual machine we've just created. Go to the virtual machine configuration in the portal and select the "End Point" section. In the end point screen, click on "Manage ACL" to configure ACL for the virtual machine.

In the resulting screen, provide a name for the ACL rule, select an action and provide the IP subnet details to complete the ACL configuration. Let's verify the Azure ACL rule by firing off a test request. Let's use a PowerShell script to configure a network security group, NSG, for the virtual network. After executing the PowerShell script, the NSG rules can be verified by accessing the virtual machines.

About the Author

Trevor Sullivan is a Microsoft MVP for Windows PowerShell, and enjoys working with cloud and automation technologies. As a strong, vocal veteran of the Microsoft-centric IT field since 2004, Trevor has developed open source projects, provided significant amounts of product feedback, authored a large variety of training resources, and presented at IT functions including worldwide user groups and conferences.