To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use a Network Security Group (NSG). This solution is straightforward and minimizes administrative effort.
Step-by-Step Solution
Step 1: Create a Network Security Group (NSG)
Navigate to the Azure Portal.
Search for “Network security groups” and select it.
Click on “Create”.
Enter the following details:
Subscription: Select your subscription.
Resource Group: Select an existing resource group or create a new one.
Name: Enter a name for the NSG (e.g., NSG-Subnet1-2).
Region: Select the region where your virtual network is located.
Click on “Review + create” and then “Create”.
Step 2: Create an Inbound Security Rule
Navigate to the newly created NSG.
Select “Inbound security rules” from the left-hand menu.
Click on “Add” to create a new rule.
Enter the following details:
Source: Select Service Tag.
Source Service Tag: Select VirtualNetwork.
Source port ranges: Leave as *.
Destination: Select IP Addresses.
Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g., 10.1.2.0/24).
Destination port ranges: Enter 5585.
Protocol: Select TCP.
Action: Select Deny.
Priority: Enter a priority value (e.g., 100).
Name: Enter a name for the rule (e.g., Deny-TCP-5585).
Click on “Add” to create the rule.
Step 3: Associate the NSG with Subnet1-2
Navigate to the virtual network that contains subnet1-2.
Select “Subnets” from the left-hand menu.
Select subnet1-2 from the list of subnets.
Click on “Network security group”.
Select the NSG you created (NSG-Subnet1-2).
Click on “Save”.
Explanation
Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network. They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.
Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.
Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.
By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.
