Sunday, April 18, 2021

Secure Azure Virtual Machines Behind Azure Firewalls

Data Security is one of the most important concern of the IT industry. Hence, each individual of the project team is responsible for the security and encryption of the data. However, as OPS engineers, you have to introduce several data security mechanisms to your company. This blog post explains how to access the Azure Virtual Machine securely. 

Pre requisite

  • Azure Virtual Machine
  • Web app hosted in the IIS server inside the Azure Virtual machine
  • Network configurations are done to make Web app accessible from the outside of the VM
  • Azure firewall 

As the first step to secure the VM, we remove the public IP from the VM, go to public ip of the VM and click on Dissociate.



Once you remove the public ip, no longer able to access the site. 

Now go to Azure Firewall and add NAT rule to enable route via firewall public ip.


Let's add the NAT rule to route the traffic from the internet to the web site hosted in IIS server of the VM.


1 - Give * as the source. which means,  source it is not limited to one or specific ip range. It can be anyone from the internet.

2 - Destination address is public ip of the firewall. All the traffic come from internet route via this ip address

3 - Destination port is the port we use to access the site

4 - Translated address is the private ip of the VM where web site is hosted

5 - Translated port is the port use to host the site in IIS server.

Once NAT rule added, try to access the website using the public ip of the firewall. You would be able to access the site via firewall.



You can secure your Virtual machines with Virtual Networks and Sub Nets. But, if you directly open the public ip to Virtual Machine it is not secure since Virtual Machine directly exposed to public internet. Hence, you can remove the public ip from the Virtual Machine and allow access only through the firewall which make Virtual Machine more secure.

No comments:

Post a Comment