question

anilkumar-3187 avatar image
0 Votes"
anilkumar-3187 asked srbose-msft edited

Mixed questions on Azure firewall, ASGs, NSGs, Extensions and IP SKU change

Hello,

Could you please help me finding answers for below questions?

  1. Are we supposed to pay for extension attached to Azure VMs?

  2. How can I see the list of Network Interface Cards (NICs) of Azure VMs attached to a Application Security Groups (ASGs) ?

  3. Is it possible to associate a Application Security Groups (ASGs) or Network Security Groups (NSGs) to on premise VMs/systems if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?

  4. Can Azure firewall regulate the traffic flowing in and out of on premise computers if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?

  5. Why Azure doesn't allow downgrading an IP Address from Standard to Basic ?

Appreciate your insightful response, thank you !!

















azure-virtual-machinesazure-virtual-networkazure-vpn-gatewayazure-firewallazure-expressroute
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Best is to post each question separately.

0 Votes 0 ·

1 Answer

srbose-msft avatar image
0 Votes"
srbose-msft answered srbose-msft edited

@anilkumar-3187 , thank you for your questions.

Are we supposed to pay for extension attached to Azure VMs?

There is no additional charge that you have to pay for VM extensions.

How can I see the list of Network Interface Cards (NICs) of Azure VMs attached to a Application Security Groups (ASGs) ?

Application Security Groups can be be seen as property of Network Interface Cards. However we can programatically find out which NICs are associated with a particular Application Security Group.

Following is a PowerShell code that achieves this.

 param (
   [Parameter(Mandatory=$true, HelpMessage="Enter the resource ID of the ASG")][string]$ASGId
 )
 $nics = Get-AzNetworkInterface
 foreach($nic in $nics)
 {
  $Name = $nic.Name
  $RG = $nic.ResourceGroupName
  $asgResource = ($nic.IpConfigurationsText | ConvertFrom-Json).ApplicationSecurityGroups
  if ( $asgResource -ne $null ) {
    $asgResourceID = $asgResource.Id
    if ($asgResourceId -eq $ASGId)
    { Write-Output "`nNIC: $Name, Resource Group: $RG" }
  }
 }

Save this code in a .ps1 file and you can run it as filename.ps1 <resource ID of the ASG> or you can simply run filename.ps1 and input the Resource ID of the ASG interactively.

Note: this code makes use of the Az PowerShell Module. Installation Instructions can be found here.

Is it possible to associate a Application Security Groups (ASGs) or Network Security Groups (NSGs) to on premise VMs/systems if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?

Network Security Groups (NSG): An access control mechanisms for controlling traffic between resources within a virtual network and also with external networks, such as the internet, other virtual networks. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, a VM, or a group of VMs. For information about possible operations with subnets in Azure, see Subnets (Azure Virtual Networks).

Application Security Groups (ASGs): Similar to NSGs but are referenced with an application context. It allows you to group a set of VMs under an application tag and define traffic rules that are then applied to each of the underlying VMs.

For more information please check this document.

To summarize, these are not feasible options for on-premise networks connected to Azure.

Can Azure firewall regulate the traffic flowing in and out of on premise computers if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?

Azure Firewall: A cloud native stateful Firewall as a service, which can be deployed in your VNet or in Azure Virtual WAN hub deployments for filtering traffic flowing between cloud resources, the internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic going to the internet using both Azure Firewall and third parties by directing some or all traffic through third-party security providers for advanced filtering & user protection.

For more information please check this document.

Here is a guide to deploy and configure Azure Firewall in a hybrid network using the Azure portal.

Why Azure doesn't allow downgrading an IP Address from Standard to Basic ?

At the time of writing, this feature is not available. [Reference] On attempting to downgrade SKU for a Standard Public IP address to Basic through Azure CLI the following is seen.

(PublicIPSKUDowngradeFeatureNotEnabled) PublicIP /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Network/publicIPAddresses/test SKU downgrade feature flag Microsoft.Network/AllowPublicIPSkuDowngrade is not enabled for this subscription /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Network/subscriptions/.

If you attempt to register the feature it will say:

(FeatureRegistrationUnsupported) The feature 'AllowPublicIPSkuDowngrade' does not support registration.

This is currently by design and might change in the future. If you have a concern which is the consequence of this, I would urge you to voice your feedback here.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much @srbose-msft for your detailed response.

I am going through your response and refereed posts - will reply again to this thread by tomorrow.

Did you mean answer of 3rd question (ASGs, NSGs) is yes - sorry, i was confused so asking it again. will reread your response.

Thank you again !!

0 Votes 0 ·

@anilkumar-3187 , Thank you for your response. Please do take your time to go through the information I have shared and let me know if you have any queries.

In the meanwhile, to the third question from your original five:

Is it possible to associate a Application Security Groups (ASGs) or Network Security Groups (NSGs) to on premise VMs/systems if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?

Very simply, Network Security Groups can be associated only with Azure Virtual Network subnets and/or Azure Network Interfaces. Application Security Groups can be associated only with Azure Network interfaces. So there's not much room to accommodate on-premise networks and devices with these two services. Even if your on-premise networks are connected to an Azure Virtual Network, NSGs/ASGs cannot be extended to them.

Instead, Azure Firewall is a potent option when you want to secure a hybrid network that extends an on-premises network to Azure for hybrid applications where workloads run both on-premises and in Azure. [Reference]


Hope this helps and do let me know if you have any questions.

1 Vote 1 ·

Thank you very much @srbose-msft for another valuable response !!

Glad to mark your response as answers to my questions....

StayBlessednHappy

0 Votes 0 ·