Security
      Back to home
      1. Knowledge Base
      2. Security

      (Classic) How to Implement Network Security Groups (NSGs) to Increase Security

      This guide will show you how to implement Network Security Groups (NSGs) to increase security.

      Warning: This article does not apply to deployments created in the current platform as NSG's are created for you by the MyCloudIT deployment process. This article refers to the legacy MyCloudIT v2 (classic) platform, which was active from 2015-2021. 

      Overview

      This guide will show you how to implement Network Security Groups (NSGs) to increase security. 

      The MyCloudIT deployment consists of multiple VMs, one or two of those VMs have public IP addresses associated with them. This means, by default, only those one or two VMs that are exposed to the public Internet. 

      The RDSMGMT server has a public IP address associated with it, please do not remove this public IP address since MyCloudIT uses the public IP address to manage your deployment. If you would like to add additional protection to your RDSMGMT server, you can implement a Network Security Group (NSG) to prevent all but known IP addresses from connecting to your RDSMgmt server. 

      Below are 4 steps to add a network security group to your RDSMGMT server. All the steps will be executed from the Azure portal. If you need assistance with this process, please reach out to the MyCloudIT support team for assistance.

      Step 1: Create an NSG

      You will create a NSG in the same resource group as your deployment. Your configuration will be similar to the screen shot below.


      • The NSG should go in the existing Resource Group for your deployment
      • Esure your NSG is created in the same Azure Region as your deployment

      Step 2: Create appropriate inbound rules for your environment

      Navigate to the new NSG you created then "Inbound Security Rules" and +Add applicable rules.

      Caution: Implemented rules must be specific to your particular environment and meet your access and security requirements. Test rules during user downtime or in a test environment. 

      Most v2 customers usually add at least the following rules:

      Direction: Inbound
      Name: Allow_RDP_Local_All
      Source: IP Address
      Source IP Address: <insert your local subnet ranges here EG 10.0.0.0/8>
      Source Port Ranges: *
      Destination: Any
      Destination Port Ranges: 3389
      Protocol: Any
      Action: Allow
      Priority: 202
      Direction: Inbound
      Name: Deny_RDP_All
      Source: Any
      Source Port Ranges: *
      Destination: Any
      Destination Port Ranges: 3389
      Protocol: Any
      Action: DENY
      Priority: 803

      If your deployment has the RDS gateway server on the same server or subnet as the domain controller you may also need to add the following two rules:

      Direction: Inbound
      Name RDSGW_UPD
      Source: Any
      Source Port Ranges: *
      Destination: <IP Address of the RDSGW>
      Destination Port Ranges: 3391
      Protocol: UDP
      Action: Allow
      Priority: 203
      Direction: Inbound
      Name RDSGW_TCP
      Source: Any
      Source Port Ranges: *
      Destination: <IP Address of the RDSGW>
      Destination Port Ranges: 443
      Protocol: TCP
      Action: Allow
      Priority: 204

      Step 3: Associate the NSG to the subnet of the Domain Controller

      On the NSG you created click "Subnets" then "+Associate".

      Select your virtual network (usually named RDSVnet). 

      Select the subnet that contains your domain controller (usually named RDSMgmtSubnet) then click OK. 

      Once this configuration is saved, your new rules have been applied and can be tested. If the rules are wrong you can disassociate the NSG from the subnet.

      Tip: You can also create more NSG's and rules for your other subnets.