(Classic) How to Implement Network Security Groups (NSGs) to Increase Security

This guide will show you how to implement Network Security Groups (NSGs) to increase security.

Warning: This article does not apply to deployments created in the current platform as NSG's are created for you by the MyCloudIT deployment process. This article refers to the legacy MyCloudIT v2 (classic) platform, which was active from 2015-2021. 

Overview

This guide will show you how to implement Network Security Groups (NSGs) to increase security. 

The MyCloudIT deployment consists of multiple VMs, one or two of those VMs have public IP addresses associated with them. This means, by default, only those one or two VMs that are exposed to the public Internet. 

The RDSMGMT server has a public IP address associated with it, please do not remove this public IP address since MyCloudIT uses the public IP address to manage your deployment. If you would like to add additional protection to your RDSMGMT server, you can implement a Network Security Group (NSG) to prevent all but known IP addresses from connecting to your RDSMgmt server. 

Below are 4 steps to add a network security group to your RDSMGMT server. All the steps will be executed from the Azure portal. If you need assistance with this process, please reach out to the MyCloudIT support team for assistance.

Step 1: Create an NSG

You will create a NSG in the same resource group as your deployment. Your configuration will be similar to the screen shot below.


  • The NSG should go in the existing Resource Group for your deployment
  • Esure your NSG is created in the same Azure Region as your deployment

Step 2: Create appropriate inbound rules for your environment

Navigate to the new NSG you created then "Inbound Security Rules" and +Add applicable rules.

Caution: Implemented rules must be specific to your particular environment and meet your access and security requirements. Test rules during user downtime or in a test environment. 

Most v2 customers usually add at least the following rules:

Direction: Inbound
Name: Allow_RDP_Local_All
Source: IP Address
Source IP Address: <insert your local subnet ranges here EG 10.0.0.0/8>
Source Port Ranges: *
Destination: Any
Destination Port Ranges: 3389
Protocol: Any
Action: Allow
Priority: 202
Direction: Inbound
Name: Deny_RDP_All
Source: Any
Source Port Ranges: *
Destination: Any
Destination Port Ranges: 3389
Protocol: Any
Action: DENY
Priority: 803

If your deployment has the RDS gateway server on the same server or subnet as the domain controller you may also need to add the following two rules:

Direction: Inbound
Name RDSGW_UPD
Source: Any
Source Port Ranges: *
Destination: <IP Address of the RDSGW>
Destination Port Ranges: 3391
Protocol: UDP
Action: Allow
Priority: 203
Direction: Inbound
Name RDSGW_TCP
Source: Any
Source Port Ranges: *
Destination: <IP Address of the RDSGW>
Destination Port Ranges: 443
Protocol: TCP
Action: Allow
Priority: 204

Step 3: Associate the NSG to the subnet of the Domain Controller

On the NSG you created click "Subnets" then "+Associate".

Select your virtual network (usually named RDSVnet). 

Select the subnet that contains your domain controller (usually named RDSMgmtSubnet) then click OK. 

Once this configuration is saved, your new rules have been applied and can be tested. If the rules are wrong you can disassociate the NSG from the subnet.

Tip: You can also create more NSG's and rules for your other subnets.