How to Implement Network Security Groups (NSGs) to Increase Security

This guide will show you how to implement Network Security Groups (NSGs) to increase security.

This article refers to the MyCloudIT Gen 2 platform, which was launched in 2015. Look for MyCloudIT Gen 3 to be launched in early 2021.

Overview

This guide will show you how to implement Network Security Groups (NSGs) to increase security. If you would like MyCloudIT to install the NSG for you on your MCIT deployment, please open a support ticket with the name of your deployment and the request to install the NSG and we will install it for you. 

The MyCloudIT deployment consists of multiple VMs, but only two of those VMs have public IP addresses associated with them. This means, by default, there are only two VMs that are exposed to the public Internet. These VMs are configured to protect themselves from malicious attacks, but you can increase the security posture of these VMs by adding network security groups.

The RDSMGMT server also has a public IP address associated with it, please do not remove this public IP address since MyCloudIT uses the public IP address to manage your deployment. If you would like to add additional protection to your RDSMGMT server, you can implement a Network Security Group (NSG) to prevent all but known IP addresses from connecting to your RDSMgmt server. If you would like to implement a NSG to protect your RDSMGMT server, please open a support ticket with the MyCloudIT support team before you implement the NSG. These IP addresses must be white listed within your NSG so MyCloudIT will be able to continue to manage your deployment. I will show you how to configure a NSG and white list IP addresses, but I will not share the MyCloudIT management IP addresses in this public forum. Again, please open a support ticket with MyCloudIT and the support team will give you the IP addresses needed.

Below are 4 steps to add a network security group to your RDSMGMT server. All the steps will be executed from the Azure portal. If you need assistance with this process, please reach out to the MyCloudIT support team for assistance.

Step 1: First create the NSG

You will create a NSG in the same resource group as your deployment. Your configuration will look like the screen shot below.

create-network-security-groups

  • You can use any valid name, but my suggestion is to use a name that makes sense to you in 3 months when you need to make changes.
  • The NSG must be in the same subscription as your MyCloudIT deployment.
  • Please put the NSG in the existing Resource Group for your deployment, the Resource Group is the name of your deployment.
  • Please ensure your NSG is created in the same Azure Region as your deployment.
  • When this screen is complete, please click Create. It will take less than 5 minutes to create the NSG

Step 2: Now that your NSG is created, Whitelist the MyCloudIT management addresses.

The first thing you should do is add the MyCloudIT IP addresses to the NSG.

network-security-groups-inbound-rules

By default, the NSG will only allow traffic from within the deployment and it blocks any traffic from the internet. The first step is the add a new Inbound Security Rule to allow the MyCloudIT management platform to continue to manage your deployment.

Remember to open a support ticket with MyCloudIT to request your management IP addresses. Please do not proceed with this process until you receive the management IP addresses, or you will break MyCloudIT’s ability to manage your deployment.

Step 3: Add an Inbound Rule listing the IP addresses MyCloudIT provided

When you have the NSG configuration open, Choose Inbound security rules under Settings.

network-security-groups-settings

Inbound security rules is where you will add the rule to whitelist the MyCloudIT management IP addresses.

This will give you the ability to +Add an additional security rule.

network-security-groups-add-button

This is where you can add additional Inbound security rules.

network-security-groups-new-rule

Your configuration of the new inbound security rule should look like this configuration, except for the Source IP addresses. This field should be populated with the IP addresses provided by MyCloudIT for the management of your deployment. Each IP address should be separated by a comma.

Be sure to provide a Name that will make sense to you in three months when you review your configuration.

Once this Inbound rule has been added, you can also add any additional inbound rules now. It is easier to troubleshoot one change at a time, so my suggestion is that you add the single rule for now, then after it has been deployed and tested, you can add additional inbound rules.

Step 4: Associate the NSG to the IP address of the RDSMGMT server

The public IP address is assigned to the load balancer, not the actual VM, this allows for scale and flexibility. Because of this configuration, you will add the NSG to the internal NIC of the RDSMGMT server. To do this, in the NSG open the Network interfaces in the SETTINGS section.

network-security-groups-network-interfaces

Open the Network interfaces section, then click +Associate to associate the NIC of the RDSMGMT server to the NSG we are creating.

You will now be presented with a list of NICs that can be associated to the NSG.

network-security-groups-associate-network-interfaces

Choose the RDSMgmt-nic to associate the NSG to the nic of the RDSMgmt server.

Once this configuration is saved, your new NSG has been applied. At this time, please go back to the MyCloudIT dashboard and reload the deployment you just protected. You should still be able to see all the Users / Groups as well as collections and additional details of your deployment.

This process gives you the ability to leverage Azures Network Security Groups to provide additional protection to your RDSMgmt server. You can follow the same process to provide additional protection to your RDSGW server, but keep in mind that the IP addresses listed will need to be a comprehensive list of IP addresses your remote users would connect from. Again, if you do not want to configure this yourself, you are welcome to open a support ticket with us and we will install the NSG on your MyCloudIT deployment for you. Please include the request to install the NSG and the name of the deployment you want it installed on. We are not able to install our NSGs on any non-MyCloudIT based deployments.

If you have any questions about this configuration, please contact us at support@mycloudit.com.