Prevent internet access from Azure virtual machines

By default any Azure virtual machines that have a cloud service with an endpoint will have full outbound internet access. To prevent internet access from Azure virtual machines you can either trust a host level firewall (ie Windows Firewall or Iptables) or you can simply remove the endpoints (which will also remove the ability to get to the machine externally).

One issue i’ve found when connecting an Azure VM to an express route network is that all machines have full outbound access even when the cloud endpoints have been removed. This is a different behaviour than when they’re not on express route (as mentioned in the previous paragraph).

In order to restrict the outbound access in this scenario you seemingly have two options. One option which is documented by Microsoft is to advertise a default route (ie 0.0.0.0/0) from your on premesis networks so all traffic which doesn’t match specific Azure VNET’s heads towards your on prem routers (advertised with BGP). This will often not be preferable as there will be a lot of junk traffic your router/onprem firewalls will need to filter – it’ll also cost you at the standard express route data charges for traffic between your cloud network and your on prem network.

Another solution is by using the recently implemented feature, Network Security Groups. By creating a network security group and applying it to particular VM’s, VNET’s, or Subnets you are able to restrict the access to a specific set of rules defined within the security group. In my scenario, I wished to create a group where access is permitted only to RFC1918 addresses. Another subnet which contains systems with internet access can then use a modified security group to permit not only the RFC1918 traffic but also the traffic to the internet. This is where our web and mail proxies, and web servers will live.

The below powershell commands will create a new security group named “OnlyInternalNetworks” and should be used in situations where you wish for a VM not to have internet access (unless via a proxy or relay on another local subnet):

New-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" -Location "West Europe" -Label "Only allow traffic to RFC1918 Addresses"
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Inbound-10 -Type "Inbound" -Priority 100 -Action Allow -SourceAddressPrefix '10.0.0.0/8' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Inbound-172 -Type "Inbound" -Priority 110 -Action Allow -SourceAddressPrefix '172.16.0.0/12' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Inbound-192 -Type "Inbound" -Priority 120 -Action Allow -SourceAddressPrefix '192.168.0.0/16' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Outbound-10 -Type "Outbound" -Priority 100 -Action Allow -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '10.0.0.0/8' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Outbound-172 -Type "Outbound" -Priority 110 -Action Allow -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '172.16.0.0/12' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name Outbound-192 -Type "Outbound" -Priority 120 -Action Allow -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '192.168.0.0/16' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityRule -Name NoInternet -Type "Outbound" -Priority 130 -Action Deny -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix 'INTERNET' -DestinationPortRange '*' -Protocol '*'
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Remove-AzureNetworkSecurityRule -Name ALLOW INTERNET
Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" -Detailed

The resulting security group will look like the following:

azure network security groups

It can then be applied to a Subnet with the following syntax:

Get-AzureNetworkSecurityGroup -Name "OnlyInternalNetworks" | Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName 'VnetX' -SubnetName 'SubnetX'

Or to a VM:

Get-AzureVM -ServiceName "MyWebsite" -Name "Instance1" | Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "OnlyInternalNetworks"

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.