Network Security Group Attachment for Various Subnet Types

In our network infrastructure, we have implemented network security groups (NSGs) to enhance the security of our resources. NSGs serve as an additional layer of protection by filtering network traffic to and from our Azure Virtual Network. These NSGs are strategically attached to different types of subnets to control inbound and outbound traffic effectively.

As of now, we have five distinct subnet types in our network architecture: Web, Middle, Data, Pep, and Runner. Each of these subnets has specific security requirements and access controls in place. In this document, we will outline the NSG attachments and security rules for each of these subnet types, we can find the Network security group in virtual_network.tf.

1. Web Subnet - NSG Attachment: The Web subnet 001 is associated with an NSG that enforces security rules specific to web applications. This NSG allows incoming traffic only from another Web subnet 003, which contains our Application Gateway. This ensures that only authorized traffic is allowed into our web applications. Terraform configuration for web 001:

resource "azurerm_network_security_group" "ingress_into_web" {
  name                = "nsg-web-allow-${var.common_tags.project}-${var.tags.environment}"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {

  }

  tags = merge(var.tags, var.common_tags)
}

resource "azurerm_subnet_network_security_group_association" "web" {
  subnet_id                 = module.vnet.vnet_subnets[0]
  network_security_group_id = azurerm_network_security_group.ingress_into_web.id
}

Furthermore, that the Web 002 subnet utilizes standard v2 security rules specifically tailored for API management. This allows us to control and secure traffic to and from our API endpoints effectively.

resource "azurerm_network_security_group" "ingress_into_apim" {
  name                = "nsg-apim-allow-${var.common_tags.project}-${var.tags.environment}"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {

  }

  tags = merge(var.tags, var.common_tags)
}

resource "azurerm_subnet_network_security_group_association" "apim" {
  subnet_id                 = module.vnet.vnet_subnets[3]
  network_security_group_id = azurerm_network_security_group.ingress_into_apim.id
}

The Web 003 subnet utilizes standard v2 security rules specifically tailored for API management which App gateway allows the API Management. This allows us to control and secure traffic to and from our App Gateway.

resource "azurerm_network_security_group" "ingress_into_appgw" {
  name                = "nsg-appgw-allow-${var.common_tags.project}-${var.tags.environment}"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {

  }


resource "azurerm_subnet_network_security_group_association" "appgw" {
  subnet_id                 = module.vnet.vnet_subnets[4]
  network_security_group_id = azurerm_network_security_group.ingress_into_appgw.id
}

2. Middle Subnet - NSG Attachment: The Middle subnet is secured by an NSG that regulates the network traffic for backend webapp services. It permits incoming connections from the Web subnet, where our frontend application is deployed. This setup ensures that the backend webapp can communicate with the frontend components securely. Terraform configuration:

resource "azurerm_network_security_group" "ingress_into_middle" {
  name                = "nsg-middle-allow-${var.common_tags.project}-${var.tags.environment}"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {

  }

  tags = merge(var.tags, var.common_tags)
}

resource "azurerm_subnet_network_security_group_association" "middle" {
  subnet_id                 = module.vnet.vnet_subnets[2]
  network_security_group_id = azurerm_network_security_group.ingress_into_middle.id
}

3. Data Subnet - NSG Attachment: The Data subnet is protected by an NSG, allowing traffic exclusively from the Middle subnet. This strict control ensures that our database servers, located in the Data subnet, can only be accessed by authorized backend webapp services on port 3306.

resource "azurerm_network_security_group" "ingress_into_data" {
  name                = "nsg-mysql-allow-${var.common_tags.project}-${var.tags.environment}"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {

  }

  tags = merge(var.tags, var.common_tags)
}

resource "azurerm_subnet_network_security_group_association" "data" {
  subnet_id                 = module.vnet.vnet_subnets[1]
  network_security_group_id = azurerm_network_security_group.ingress_into_data.id
}

4. Pep Subnet - NSG Attachment: The Pep subnet is not currently attached to an NSG, as it may not have specific security requirements, or it could be isolated for particular tasks. You may consider implementing an NSG if necessary.

5. Runner Subnet - NSG Attachment: The Runner subnet is not currently attached to an NSG, but it is essential to evaluate and determine if specific security rules are needed for this subnet, based on its purpose and usage.

Our network security group attachments are designed to ensure that each subnet type operates securely while adhering to our specific security requirements. By maintaining these NSG configurations, we enhance the overall security posture of our Azure Virtual Network. As our network evolves, we should regularly review and update our NSG configurations to adapt to changing security needs.