Manage network traffic at scale with Virtual Network Manager

Protecting your network infrastructure in the cloud is paramount to ensure the security and reliability of the services that depend on it. Azure provides robust solutions for network management and security, and one of the key features available for this purpose is the Virtual Network Manager. It allows you to manage network traffic at scale by using Security Admin Rules, which are part of the network’s security policies. In this article, we explore how to manage network traffic at scale for Azure Virtual Networks using Security Admin Rules.

Understanding Security Admin Rules

Security Admin Rules are part of the Azure Virtual Network Manager that offers enhanced control over traffic flowing through your virtual networks. They act like filters, enabling you to define which traffic is allowed and which should be blocked based on criteria such as:

  • Source and destination IP addresses.
  • Ports.
  • Protocols (TCP, UDP, ICMP, etc.).

You might consider Network Security Groups (NSGs), which are applied to subnets. They essentially serve the same purpose, but can be troublesome to handle and must be configured for each subnet individually. Rather then NSGs, Security Admin Rules are implemented at scale and take precedence over NSGs. As a result, it is now simpler to establish network policies and apply them across multiple virtual networks and subscriptions simultaneously.

Network traffic evaluation flow

When you define a new rule, you specify the following conditions:

  • Priority: The priority of this rule is similar to how a firewall or Network Security Group (NSG) prioritizes its rules. The range is between 1 and 4096.
  • Action: Allow, deny, or always allow.
    • Allow: Traffic is permitted and is also evaluated by an NSG (when present).
    • Deny: Traffic is prohibited.
    • Always allow: Traffic is permitted and will bypass the NSG (when present).
  • Direction: Rules are applied to either inbound or outbound traffic.
  • Protocol: TCP, UDP, ICMP, or any other protocol.

Overview

Before we look at the implementation, let’s get a better overview of the terminology and connections between resources.

  • Virtual Network Manager: The parent resource for Security Admin Configuration.
  • Security Admin Configuration: A set of security configurations, where you basically just have one of.
  • Rule Collection: A collection of Security Admin Rules associated with network groups.
  • Security Admin Rules: Specific rules that define what is allowed and what is prohibited.
Overview of the relations between the resources

Limitations

  • Azure availability: While it is in General Availability (GA) state for most regions, verify that yours is on the list.
  • Non-application: Some services do not support Security Admin Rules so be sure that you won’t implement it on a service that is not supported.

Considerations

Before you start implementing Virtual Network Manager and Security Admin Rules, please consider:

  • Pricing: It’s not inexpensive because charges are determined by the number of subscriptions within a network manager’s scope. You pay approximately €67 per subscription per month.
  • Virtual WAN: When using Virtual WAN, consider deploying Azure Firewall within the Virtual Hub to filter network traffic across your virtual networks.
  • Explore concepts: Lastly, what other features can you utilize within Virtual Network Manager so that you can justify the expenses?

Implement Security Admin Rules

The implementation involves a series of steps, from creating a Virtual Network Manager to testing and applying the rules. We use code for the deployment and configuration.

Note: Find the full version of the script in my GitHub repository.

Create a Virtual Network Manager

  1. Module: You need the Az.Network module during this deployment.
PowerShell
# Verify if the 'Az.Network' module is installed.
$azNetworkModule = 'Az.Network'
If (Get-InstalledModule -Name $azNetworkModule -MinimumVersion '5.3.0') {
    Import-Module -Name $azNetworkModule -Force
}
Else {
    Install-Module -Name $azNetworkModule -Force
}
  1. Connect with Azure: Use the Connect-AzAccount and Set-AzContext cmdlets to set the subscription for the resource deployment. Pick any subscription you like but keep the Azure context as is during this deployment.
PowerShell
# Connect with Azure.
Connect-AzAccount
Set-AzContext -SubscriptionName 'mySubscription'
  1. Create a Resource Group and a Virtual Network Manager: These represent the parent resources for our Security Admin Rules.
PowerShell
# Variables
$location = 'westeurope'

# Create a new resource group.
$resourceGroupName = 'virtualNetworkManager'
$resourceGroup = Get-AzResourceGroup -Name $resourceGroupName -ErrorAction SilentlyContinue
If ($resourceGroup) {
    Write-Host 'Resource Group already exists.'
}
Else {
    $resourceGroup = New-AzResourceGroup -Name $resourceGroupName -Location $location
}

# Create a new Virtual Network Manager scope for an array of subscriptions.
$subscriptionId = (Get-AzSubscription).Id
$subscriptionScope = @(
    "/subscriptions/$subscriptionId"
)
$scope = New-AzNetworkManagerScope -Subscription $subscriptionScope

# Create Virtual Network Manager.
$avnmParameters = @{
    Name = "vnm-$location-01"
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkManagerScope = $scope
    NetworkManagerScopeAccess = @(
        'SecurityAdmin'
    )
    Location = $location
}
$networkManager = New-AzNetworkManager @avnmParameters
Manage the Virtual Network Manager resource
  1. Create a new Network Manager Group: This group will be used to select the virtual networks that should be managed by the Virtual Network Manager.
PowerShell
# Create a network group to define the membership (Virtual Network members) in.
$ngParameters = @{
    Name = "vnm-$location-01-ng-01"
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkManagerName = $networkManager.Name
}
$networkManagerGroup = New-AzNetworkManagerGroup @ngParameters
  1. Add a Virtual Network to the group: Look up a sample Virtual Network but you can also create a new one and add it to the group.
PowerShell
# Get a sample virtual network and add it to the network group.
$virtualNetwork = Get-AzVirtualNetwork -ResourceGroupName 'myResourceGroup' -Name 'myVirtualNetwork'
$staticMemberParameters = @{
    Name = (New-Guid).Guid
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkGroupName = $networkManagerGroup.Name
    NetworkManagerName = $networkManager.Name
    ResourceId = $virtualNetwork.Id
}
New-AzNetworkManagerStaticMember @staticMemberParameters
Manage the Network Group in Virtual Network Mananger

Note: Use Azure Policy if you want to automatically add new virtual networks to the Network Group.

Create a Security Admin configuration and rule collection

  1. Create Security Admin Configuration: Create a new configuration in the Virtual Network Manager. Later, we deploy the rules in here.
PowerShell
# Create a Security Admin configuration.
$securityConfigParameters = @{
    Name = 'SecurityConfig'
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkManagerName = $networkManager.Name
}
$securityConfig = New-AzNetworkManagerSecurityAdminConfiguration @securityConfigParameters
  1. Add Network Group: This establishes the relationship between the network group we configured earlier and the configuration. As a result, each Virtual Network in this group is subject to the Security Admin Rules.
PowerShell
# Add the network group to the Security Admin configuration.
$groupItem = New-AzNetworkManagerSecurityGroupItem -NetworkGroupId $networkManagerGroup.Id
  1. New Rule Collection: Create a new rule collection, which holds the Security Admin Rules for this network group.
PowerShell
# Create a new rule collection for the Security Admin configuration.
$collectionParameters = @{
    Name = 'myRuleCollection'
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkManager = $networkManager.Name
    ConfigName = $securityConfig.Name
    AppliesToGroup = @(
        $groupItem
    )
}
$ruleCollection = New-AzNetworkManagerSecurityAdminRuleCollection @collectionParameters

As a result, you now see an empty rule collection within your Virtual Network Manager.

Manage the rule collection overview in Virtual Network Manager

Example of a rule

Congratulations! You’ve made it to the final step of the implementation. Now, we come to the part where we configure the rules. Unsurprisingly, there are different scenarios to consider. It all depends on your unique business requirements and considerations. Regardless of your requirements, below is an example of how to allow TCP port 443 (HTTPS) to access the internet.

PowerShell
# Set the source to any IP address.
$sourceIp = @{
    AddressPrefix = '*'
    AddressPrefixType = 'IPPrefix'
}
$sourcePrefix = New-AzNetworkManagerAddressPrefixItem @sourceIp

# Set the destination to the Internet.
$destinationIp = @{
    AddressPrefix = 'Internet'
    AddressPrefixType = 'ServiceTag'
}
$destinationPrefix = New-AzNetworkManagerAddressPrefixItem @destinationIp

$rule = @{
    Name = 'Allow-HTTPS-Outbound-Internet'
    ResourceGroupName = $resourceGroup.ResourceGroupName
    NetworkManagerName = $networkManager.Name
    SecurityAdminConfigurationName = $securityConfig.Name
    RuleCollectionName = $ruleCollection.Name
    Protocol = 'TCP'
    Access = 'Allow'
    Priority = '100'
    Direction = 'Outbound'
    SourceAddressPrefix = $sourcePrefix
    SourcePortRange = @(
        '0-65535'
    )
    DestinationAddressPrefix = $destinationPrefix
    DestinationPortRange = @(
        '443'
    )
}
$securityrule = New-AzNetworkManagerSecurityAdminRule @rule
Manage a rule in a rule collection in Virtual Network Manager.

Scenarios

To give you a head-start, consider these scenarios:

  • Whitelist: Define one inbound and one outbound rule with the lowest priority. Block all sources, destinations, and protocols. Now, based on requests of workloads, set specific rules with a higher priority to whitelist traffic flows.
  • Always allow: You might want to ensure that inbound or outbound traffic flows are always permitted. For example, when third-party monitoring software requires inbound HTTPS connectivity, consider creating a rule that always allows this type of traffic, even when a workload has implemented a Network Security Group (NSG) that blocks it.
  • Protect high-risk ports: Restrict inbound traffic for ports that have a high risk of being misused from the internet. Microsoft published a list of high-risk ports.

Verify your new security rules

Now, as a last step, deploy a virtual machine in one of the virtual networks within your network group. Test the rules and, once successful, consider expanding your network group to include more virtual networks.

Best practices

  • Prioritization of rules: Security Admin Rules are processed in ascending order of priority. Ensure that the rules are properly prioritized, especially to avoid conflicts and unintended traffic blocks.
  • Testing: Obviously always thoroughly test new or modified rules in a non-production environment to avoid potential disruptions.
  • Auditing and reporting: Keep an audit trail of changes to the Security Admin Rules for accountability and compliance purposes. Consequently report to relevant peers and evaluete the traffic flow.

Conclusion

Leveraging Security Admin Rules in Azure Virtual Network Manager is a powerful way to ensure that your cloud infrastructure remains secure and resilient to network-based threats. By blocking network traffic at scale and effectively managing network policies, Azure users can focus more on their core business, knowing that their network security is robust and scalable.

The price holds me back, though. Specifically in enterprises, where landing zone subscriptions are the new best practice, it can be costly. Rather than deploying Virtual Network Manager, I would opt to filter network traffic with Azure Firewall in the Virtual Hub.

Whenever you encounter any problems with the deployment or have any questions, please feel free to leave a reply.

Documentation

For detailed information and technical documentation, also make sure to visit the official Azure documentation for Virtual Network Manager and Security Admin Rules.