Network security groups

- [Instructor] So as we've seen in this course, the network security group is the basic protection that protects networks and subnets from traffic that travels over them. Let's switch over to the Azure portal and create a network security group. As usual, we will go to the Create a resource button which is the plus sign in the top left. We'll click it. I'm going to enter network security group into the search and you'll see that as soon as I start typing, it autofills and network security group is the first option. I'm going to click the Create button to create a network security group. The creation of the group is quite simple. We do need to give it a name, so I'm going to call it azsjdnewnsg. It'll run on our default subscription. We do have to place it in a resource group. And I have an existing resource group for this purpose. I will have the network security group in the same region as the virtual network that it's going to be associated with, in this case it's East US. Then I click Create. Now, it takes a few seconds for this network security group to be created. Now that's successfully created, I'm going to go into the resource groups, to the resource group that I selected and we can see my azsjdnewnsg as being one of the resources in this group. Let's go into it. Now, in the Overview screen, it tells me a bit about the group. If I was to minimize the header, we can see the rules. The inbound security rules and outbound security rules are provided by Microsoft by default. We can't edit them or delete them. Any rules that we create have to override them. I'm going to go to the Inbound security rules under Settings. We can see that there are three rules by default. One rule allows traffic to travel over the virtual network. Another rule allows load balancer traffic which is usually a health probe or similar. And the final rule is to deny all other inbound traffic. So let us add a rule that will allow port 80 which is the HTTP unencrypted web port. To do this, we'll click the Add button. Now, there are two ways to add security rules. There is a basic editor that is quite simple and there's also an advanced editor that allows us to choose a lot more options. We'll stick with the advanced editor. Starting at the top, we have two options for specifying the source of the traffic. As you can see by default, this network security group rule allows any traffic from any source. We can, of course, specify that we only want traffic from particular IP addresses or based on a service tag or existing application security group. We'll talk about the application security group shortly. And then we also get to specify the destination of where the traffic goes to. The traffic can go to a specific IP address. It can travel to another virtual network or to a specific application security group. Finally, we want to specify the port. Now, we were talking about the port 80 traffic which is HTTP traffic. So we're going to specify port 80. The network security group filters traffic for TCP, UDP and ICMP. We can choose TCP because that is the traffic that travels over the internet. Now we can choose to either specifically allow this traffic or deny it. The priority of the traffic is based on the lowest number, has the highest priority. So we can see peaking out that the default rules start at 65,000 and so any number less than 65,000 is going to be a higher priority rule. Thus priority 100 will override any of these rules. We have to give the rule a name and I'm going to call this web-traffic-80 and click Add. So we'll now create this rule and add this as an inbound rule into our network security group. So we can see through this way that we can add as many rules as we need for different ports and for different reasons.