CloudGuard Dome9 Help
Azure Network Security Groups
This topic describes how to create and modify Network Security Groups for an Azure account in Dome9. The account must be in Manage mode.
You can create NSGs for each region or resource group in your Azure account.
This procedure describes how to set an Azure account in Dome9 to Managed mode. The account must first be onboarded to Dome9.
In Managed mode, you will be able to manage the Security Groups for the account from Dome9.
You can modify details for an Azure NSG in the Dome9 console. The NSG must be in Manage mode. You can add, remove, or modify rules for the NSG.
Navigate to the Security Groups page in Network Security. A list of your Security Groups, for all your accounts, will be shown.
Click on the Azure NSG of interest in the list.
Click on EDIT MODE.
Click Click to add new rule
Enter details for the rule
For example, an SSH rule:
Set the following parameters for the Security Group:
Service Type - contains a list of predefined services, selecting type will automatically fills most of the required fields.
Action - Deny or Allow - Type of access to apply if the rule matches.
Priority-Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.
Protocol - TCP, UDP, or *
Destination port range - Destination port range to match for the rule.
Source scope-Source address prefix or tag to match for the rule.
Name-Name for the rule.
For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
When the NSG contains several rules you can drag the new rule and place it between other rules.
DenyMSSQL before dragging it to another priority:
DenyMSSQL after the drag to another priority:
click Save Changes.
You can apply Tamper Protection to an Azure Security Group. Tamper Protection detects unauthorized changes made to the Security Group (that is, changes not made in Dome9), and rolls them back to the settings you define in Dome9.
You can only apply Tamper Protection to Azure NSGs in an account that is Managed.