Create Azure NSGs with Terraform

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

This lab demonstrates the ease with which we can deploy and manage a Network Security Group.

NSGs provides a simple mechanism to filter traffic to and from an Azure internal network. However, NSGs are somewhat limited in the number of rules you can have in place and keeping track of what rules apply in what priority can occasionally have you pulling out your hair. Terraform provides a straightforward way to ensure that new NSGs automatically acquire any base rules required by your IT department, and will allow you to make updates as well as re-order rule priorities without having to manually destroy NSG rules before recreating them.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log into the Azure Portal and set up the Azure CLI for use.
  1. Open the CLI.
  2. Select Bash at the prompt.
  3. Click Show Advanced Settings. Both the Resource Group and Storage Account should be pre-selected with the lab generated values.
  4. In the File share section, choose the Create new radio button and enter console.
  5. Click the Attach Storage button.
  6. Once the command prompt is initialized, proceed to Task 2.
Deploy a Network Security Group with inbound/outbound rules.

To complete this exercise, please make sure you’ve completed Task 1.

  1. Use the code block found in the Additional Information and Resources section to create a lab.tf file and upload it to the CLI.
  2. In the (resource "azurerm_storage_account" "lab") declaration, you’ll need to edit the resource_group_name value with the name generated by the lab. Additionally, you’ll need to enter a unique name for the storage account that will be used for the file share. The "provider" statement has been added to the code, so you won’t need to create a main.tf file to deploy the storage account.
  3. Once the file has been uploaded, run terraform init.
  4. Run terraform plan and review the output to confirm that Terraform will create the desired resource. Green plus signs will indicate the resources that need to be added.
  5. Run terraform apply, answering yes to the prompt to continue.
  6. Once Terraform completes the deployment, check the Azure Portal to confirm.

You’re done! Go ahead and shut down the lab.

Additional Resources

In this lab, we create a simple Network Security Group with a small number of rules and then reprioritize one fo them. You'll need to use the pre-generated resource group name. Take note of the speed with which Terraform can re-order rules within an NSG as opposed to doing so manually.

Use the following code block for this lab.

Code for lab.tf file follows

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}

  skip_provider_registration = true
}

resource "azurerm_network_security_group" "nsg" {
  name                = "LabNSG"
  location            = "East US"
  resource_group_name = "Enter resource group name"
}

resource "azurerm_network_security_rule" "example1" {
  name                        = "Web80"
  priority                    = 1001
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "80"
  destination_port_range      = "80"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "Enter Resource group name"
  network_security_group_name = azurerm_network_security_group.nsg.name
}

resource "azurerm_network_security_rule" "example2" {
  name                        = "Web8080"
  priority                    = 1000
  direction                   = "Inbound"
  access                      = "Deny"
  protocol                    = "Tcp"
  source_port_range           = "8080"
  destination_port_range      = "8080"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "Enter Resource group name"
  network_security_group_name = azurerm_network_security_group.nsg.name
}

  resource "azurerm_network_security_rule" "example4" {
  name                        = "SSH"
  priority                    = 1100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "Enter Resource group name"
  network_security_group_name = azurerm_network_security_group.nsg.name
}

  resource "azurerm_network_security_rule" "example3" {
  name                        = "Web80Out"
  priority                    = 1000
  direction                   = "Outbound"
  access                      = "Deny"
  protocol                    = "Tcp"
  source_port_range           = "80"
  destination_port_range      = "80"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "Enter Resource group name"
  network_security_group_name = azurerm_network_security_group.nsg.name
}

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?