Azure Bastion – creating proper NSG rules

Just in case someone came across a problem defining proper nsg rules for Azure Bastion…

Well, here they are:

Works like a charm 😀

And below the ARM for it:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "projectPrefix": {
            "type": "string",
            "metadata": {
                "description": "Prefix for the name of resources."
            }
        },
        "resourceLocation": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "nsgName": "[concat(parameters('projectPrefix'), 'NSG-Bastion')]"
    },
    "resources": [
        {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-09-01",
            "name": "[variables('nsgName')]",
            "location": "[parameters('resourceLocation')]",
            "properties": {
                "securityRules": [
                    {
                        "name": "InboundFromAny",
                        "properties": {
                            "description": "Allow connection from any host on https.",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "443",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 100,
                            "direction": "Inbound",
                            "sourcePortRanges": [
                            ],
                            "destinationPortRanges": [
                            ],
                            "sourceAddressPrefixes": [
                            ],
                            "destinationAddressPrefixes": [
                            ]
                        }
                    },
                    {
                        "name": "InboundFromGM",
                        "properties": {
                            "description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "443",
                            "sourceAddressPrefix": "GatewayManager",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 120,
                            "direction": "Inbound",
                            "sourcePortRanges": [
                            ],
                            "destinationPortRanges": [
                            ],
                            "sourceAddressPrefixes": [
                            ],
                            "destinationAddressPrefixes": [
                            ]
                        }
                    },
                    {
                        "name": "OutboundToVNET_SSH",
                        "properties": {
                            "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "22",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 120,
                            "direction": "Outbound",
                            "sourcePortRanges": [
                            ],
                            "destinationPortRanges": [
                            ],
                            "sourceAddressPrefixes": [
                            ],
                            "destinationAddressPrefixes": [
                            ]
                        }
                    },
                    {
                        "name": "OutboundToVNET_RDP",
                        "properties": {
                            "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "3389",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 110,
                            "direction": "Outbound",
                            "sourcePortRanges": [
                            ],
                            "destinationPortRanges": [
                            ],
                            "sourceAddressPrefixes": [
                            ],
                            "destinationAddressPrefixes": [
                            ]
                        }
                    },
                    {
                        "name": "OutboundHTTPStoAzureCloud",
                        "properties": {
                            "description": "Egress Traffic to other public endpoints in Azure",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "443",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "AzureCloud",
                            "access": "Allow",
                            "priority": 100,
                            "direction": "Outbound",
                            "sourcePortRanges": [
                            ],
                            "destinationPortRanges": [
                            ],
                            "sourceAddressPrefixes": [
                            ],
                            "destinationAddressPrefixes": [
                            ]
                        }
                    }
                ]
            }
        },
        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('nsgName'), '/InboundFromAny')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            ],
            "properties": {
                "description": "Allow connection from any host on https.",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "443",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 100,
                "direction": "Inbound",
                "sourcePortRanges": [
                ],
                "destinationPortRanges": [
                ],
                "sourceAddressPrefixes": [
                ],
                "destinationAddressPrefixes": [
                ]
            }
        },
        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('nsgName'), '/InboundFromGM')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            ],
            "properties": {
                "description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "sourceAddressPrefix": "GatewayManager",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 120,
                "direction": "Inbound",
                "sourcePortRanges": [
                ],
                "destinationPortRanges": [
                    "443",
                    "4443"
                ],
                "sourceAddressPrefixes": [
                ],
                "destinationAddressPrefixes": [
                ]
            }
        },
        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('nsgName'), '/OutboundHTTPStoAzureCloud')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            ],
            "properties": {
                "description": "Egress Traffic to other public endpoints in Azure",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "443",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "AzureCloud",
                "access": "Allow",
                "priority": 100,
                "direction": "Outbound",
                "sourcePortRanges": [
                ],
                "destinationPortRanges": [
                ],
                "sourceAddressPrefixes": [
                ],
                "destinationAddressPrefixes": [
                ]
            }
        },
        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('nsgName'), '/OutboundToVNET_RDP')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            ],
            "properties": {
                "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "3389",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "VirtualNetwork",
                "access": "Allow",
                "priority": 110,
                "direction": "Outbound",
                "sourcePortRanges": [
                ],
                "destinationPortRanges": [
                ],
                "sourceAddressPrefixes": [
                ],
                "destinationAddressPrefixes": [
                ]
            }
        },
        {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('nsgName'), '/OutboundToVNET_SSH')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            ],
            "properties": {
                "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "22",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "VirtualNetwork",
                "access": "Allow",
                "priority": 120,
                "direction": "Outbound",
                "sourcePortRanges": [
                ],
                "destinationPortRanges": [
                ],
                "sourceAddressPrefixes": [
                ],
                "destinationAddressPrefixes": [
                ]
            }
        }
    ]

}

 

Leave a Reply