Azure Network Security Groups
This topic describes how to create and modify Network Security Groups for an Azure account in CloudGuard Native. The account must be in Manage mode.
You can create NSGs for each region or resource group in your Azure account.
This procedure describes how to set an Azure account in CloudGuard Native to Managed mode. The account must first be onboarded to CloudGuard Native.
In Managed mode, you will be able to manage the Security Groups for the account from CloudGuard Native.
On the CloudGuard Native console, navigate to the Cloud Accounts page in Network Security.
Click on the Azure account.
Move the switch to MANAGED.
Click OK to confirm the change.
Note - You can switch the account back to Read-Only. In this mode, you cannot set Security Groups from CloudGuard Native.
You can modify details for an Azure NSG in the CloudGuard Native console. The NSG must be in Manage mode. You can add, remove, or modify rules for the NSG.
Navigate to the Security Groups page in Network Security. A list of your Security Groups, for all your accounts, will be shown.
Click on the Azure NSG of interest in the list.
Click on EDIT MODE.
Click Click to add new rule.
Enter details for the rule.
For example, an SSH rule:
Set the following parameters for the Security Group:
Service Type - contains a list of predefined services, selecting type will automatically fills most of the required fields.
Action - Deny or Allow - Type of access to apply if the rule matches.
Priority - Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.
Protocol - TCP, UDP, or *
Destination port range - Destination port range to match for the rule.
Source scope - Source address prefix or tag to match for the rule.
Name- Name for the rule.
For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
When the NSG contains several rules, you can drag the new rule and place it between other rules.
DenyMSSQL before dragging it to another priority:
DenyMSSQL after the drag to another priority:
Click Save Changes.
You can apply Tamper Protection to an Azure Security Group. Tamper Protection detects unauthorized changes made to the Security Group (that is, changes not made in CloudGuard Native), and rolls them back to the settings you define in CloudGuard Native.
You can only apply Tamper Protection to Azure NSGs in an account that is Managed.