{"id":6071,"date":"2014-03-28T00:00:00","date_gmt":"2014-03-28T00:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks"},"modified":"2024-07-30T12:59:15","modified_gmt":"2024-07-30T19:59:15","slug":"network-isolation-options-for-machines-in-windows-azure-virtual-networks","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/","title":{"rendered":"Network Isolation Options for Machines in Windows Azure Virtual Networks"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Recently we published a Windows Network Security Whitepaper (download from <a href=\"https:\/\/download.microsoft.com\/download\/4\/3\/9\/43902EC9-410E-4875-8800-0788BE146A3D\/Windows%20Azure%20Network%20Security%20Whitepaper%20-%20FINAL.docx\">here<\/a>) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their information assets.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This post from <strong>Walter Myers<\/strong>, Principal Consultant expands on this whitepaper and describes how to isolate VMs inside a Virtual Network at the network level.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"introduction\">Introduction<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">Application isolation is an important concern in enterprise environments, as enterprise customers seek to protect various environments from unauthorized or unwanted access.&nbsp; This includes the classic front-end and back-end scenario where machines in a particular back-end network or sub-network may only allow certain clients or other computers to connect to a particular endpoint based on a whitelist of IP addresses.&nbsp; These scenarios can be readily implemented in Windows Azure whether client applications access virtual machine application servers from the internet, within the Azure environment, or from on-premises through a VPN connection.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"machine-isolation-options\">Machine Isolation Options<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">There are three basic options to be discussed in this paper where machine isolation may be implemented on the Windows Azure platform:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Between machines deployed to a single virtual network<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Between machines deployed to distinct virtual networks<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Between machines deployed to distinct virtual networks where a VPN connection has been established from on-premises with both virtual networks<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">These options will be detailed in the sections that follow.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By default, Windows Server virtual machines created from the gallery will have two public endpoints, specifically RDP and Remote PowerShell connections.&nbsp; There will be no other public endpoints except additional endpoints that are added by the administrator.&nbsp; These endpoints and any others created by the administrator may be secured with access control lists (ACLs) on any given IaaS virtual machine.&nbsp; As of this writing ACLs are available for IaaS virtual machines, but not for PaaS web or worker roles.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"how-network-acls-work\">How Network ACLs Work<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">An ACL is an object that contains a list of rules. When you create an ACL and apply it to a virtual machine endpoint, packet filtering takes place on the host node of your virtual machine. This means the traffic from remote IP addresses is filtered by the host node for matching ACL rules instead of on your virtual machine. This prevents your virtual machine from spending the precious CPU cycles on packet filtering.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When a virtual machine is created, a default ACL is put in place to block all incoming traffic. However, if an input endpoint is created (for example, port 3389), then the default ACL is modified to allow all inbound traffic for that endpoint.\u00a0 As discussed above, when a virtual machine is created from the Azure gallery, a PowerShell endpoint and an RDP endpoint are created using standard private ports but randomly generated public ports, as seen in the portal below.\u00a0 Inbound traffic from any remote subnet is then restricted to those endpoints and no firewall provisioning is required. All other ports are blocked for inbound traffic unless endpoints are created for those ports. Outbound traffic is allowed by default.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp\" alt=\"PowerShell endpoint and an RDP endpoint\" class=\"wp-image-35591 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-300x160.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-768x409.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1536x817.webp 1536w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.webp 1594w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Using Network ACLs, you can do the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Blacklist IP addresses<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Create multiple rules per virtual machine endpoint<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Specify up to 50 ACL rules per virtual machine endpoint<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Specify an ACL for a specific remote subnet IPv4 address.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So network ACLs are the key to protecting virtual machine public endpoints and controlling that type of access to them.&nbsp; Currently, you can specify network ACLs for IaaS virtual machines input endpoints, which allow you to control access from the internet to each virtual machine.&nbsp; Unless you specify endpoints, the virtual machines in a virtual network do not get incoming traffic and this is equivalent to having a default deny ACL at the network level which you can override on a per virtual machine basis.&nbsp; You cannot currently specify an ACL on a specific subnet contained in a virtual network, and we are looking into this for the future.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"option-1-subnets-within-a-single-virtual-network\">Option 1:&nbsp; Subnets within a Single Virtual Network<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses.\u00a0 So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security, as depicted simply in the diagram below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-2.webp\" alt=\"Diagram of Windows Firewall with Advanced Security\" class=\"wp-image-35597 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-2.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In order to secure the server, Windows Firewall could be configured to block all inbound connections, and inbound rules would be setup to determine:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; what local ports will accept connections,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; what remote ports from which connections will be accepted,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; what remote IP addresses will be accepted,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">4)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; what authorized users can make connections, and<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; what authorized computers can make connections<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, the firewall exceptions would include local Dynamic IP (DIP) addresses within its own subnet and across other subnets configured for the virtual network.&nbsp; Any public endpoints would be secured with network ACLs.&nbsp; Firewall exceptions should, of course, include the private ports for public endpoints established with network ACLS.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"option-2-subnets-in-different-virtual-networks\">Option 2:&nbsp; Subnets in Different Virtual Networks<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">In order to protect virtual machines from other machines deployed in other Azure virtual networks, or machines in other Azure cloud services not associated with a virtual network, or machines outside the Windows Azure platform, the Windows Azure network ACL feature would be used to provide access control to virtual machines.&nbsp; This is the most natural scenario in Windows Azure for application isolation, since by default the only access allowed on virtual machines are the default provided RDP and Remote PowerShell public endpoints.&nbsp; For any Azure virtual machine (PaaS or IaaS) that wishes to access another virtual machine in a different virtual network, its virtual IP (VIP) address will be considered as opposed to its DIP addresses within a single virtual network.&nbsp; So when a permit ACL is set on a given virtual machine endpoint, that ACL will consider the public VIP of the machine that desires to make a connection.&nbsp; We can see this in the diagram below.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can selectively permit or deny network traffic (in the management portal or from PowerShell) for a virtual machine input endpoint by creating rules that specify \u201cpermit\u201d or \u201cdeny\u201d. By default, when an endpoint is created, all traffic is permitted to the endpoint.\u00a0 So for that reason, it\u2019s important to understand how to create permit\/deny rules and place them in the proper order of precedence to gain granular control over the network traffic that you choose to allow to reach the virtual machine endpoint.\u00a0 Note that at the instant you add one or more \u201cpermit\u201d ranges, you are<em>denying<\/em> all other ranges by default. Moving forward from the first permit range, <em>only<\/em> packets from the permitted IP range will be able to communicate with the virtual machine endpoint.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-3.webp\" alt=\"diagram\" class=\"wp-image-35599 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-3.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So let\u2019s look at how this practically works with an example that includes two front-end virtual machines in the same cloud service and one back-end virtual machine with SQL Server.\u00a0 We want to secure the SQL Server so only these two front-end machines can gain access.\u00a0 In the screenshot below, we see a cloud service named <strong>canis-testvms<\/strong> with public VIP address 168.62.207.83 that contains our two front-end virtual machines named <strong>canis-testvm1<\/strong> and <strong>canis-testvm2<\/strong>.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4-1024x714.webp\" alt=\"front-end virtual machine\" class=\"wp-image-35601 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4-1024x714.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4-300x209.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4-768x535.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4.webp 1237w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-4-1024x714.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the screenshot below, we see the two front-end machines, <strong>canis-testvm1<\/strong> and <strong>canis-testvm2<\/strong>participating in a virtual network titled <strong>testvirtualnetwork<\/strong>, in its <strong>FrontEnd<\/strong> subnet.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5-1024x651.webp\" alt=\"front-end virtual machine\" class=\"wp-image-35602 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5-1024x651.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5-300x191.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5-768x489.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5.webp 1237w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-5-1024x651.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Below, we have a screenshot of the back-end SQL Server machine, <strong>sql12-01<\/strong>, which participates in a virtual network titled <strong>waltervirtualnetwork<\/strong>, in its <strong>BackEndSubnet<\/strong> subnet.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6-1024x598.webp\" alt=\"front-end virtual machine\" class=\"wp-image-35604 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6-1024x598.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6-300x175.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6-768x449.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6.webp 1464w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-6-1024x598.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now we need to configure access to the SQL Server virtual machine.\u00a0 As seen below, the first thing I do is to establish a public endpoint for private port 1433 using 14333 as the public port.\u00a0 As discussed above, the default ACL will allow any remote addresses to access the endpoint, so we will need to remedy this with network ACLs.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7-1024x651.webp\" alt=\"graphical user interface, application, Word\" class=\"wp-image-35605 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7-1024x651.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7-300x191.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7-768x489.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7.webp 1237w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-7-1024x651.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I next choose the <strong>Manage ACL<\/strong> button at the bottom, and am presented with the <strong>Manage Endpoint ACL<\/strong> dialog, as seen below.\u00a0 The first ACL I add is an ACL that overrides the default ACL with a \u201cDeny\u201d action that locks all remote addresses out.\u00a0 I then add another ACL higher in order specifying the VIP address of the cloud service that contains my front-end machines.\u00a0 I enter this in CIDR format using a \/32 network (168.62.207.83\/32), which simply maps to the single IP address represented by the cloud service with the front-end machines.\u00a0 From the perspective of the SQL server both front-end clients have the 168.62.207.83 IP address, which are NAT\u2019d within the cloud service.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9-1024x651.webp\" alt=\"Manage Endpoint ACL dialog\" class=\"wp-image-35607 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9-1024x651.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9-300x191.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9-768x489.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9.webp 1237w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-9-1024x651.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So this is how you would secure endpoints across virtual networks without a VPN connection using public VIP addresses, or if you have a VPN connection but don\u2019t want to route through your on-premises router to take advantage of DIP addresses.&nbsp; We will cover DIP in the next option with VPN added.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"option-3-subnets-in-different-virtual-networks-vpn\">Option 3:&nbsp; Subnets in Different Virtual Networks + VPN<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">When VPN connections are involved, they don\u2019t change the default isolation of virtual networks, but do present additional options for network connectivity.&nbsp; We will look at a specific example of this here.&nbsp; In this scenario, on-premises subnets that participate in more than one virtual networks will have full access to virtual machines in both virtual networks through the DIP address, when not blocked by firewall rules.&nbsp; So in our scenario here we will have two virtual networks terminated at an on-premises location that need to access each other\u2019s address spaces.&nbsp; This can be accomplished by configuring the on-premises router as the hub in a \u201cspoke-to-spoke\u201d configuration.&nbsp; The router is the hub, and the \u201cspokes\u201d are the VPN devices that terminate the Site-to-Site connections on the Azure side.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In order to make the spoke-to-spoke configuration work, we first need to configure the local network corresponding to a given virtual network at the gateway on the Azure side, which will allow that virtual network to access the address space of any other virtual network (which, of course, should be a different address space).\u00a0 This can be seen in below in the local networks configuration of the management portal.\u00a0 For each local network, I have an on-premises 192.168.1.0\/24 local network address space that each virtual network needs to access, and there is an additional address space added for each virtual network that corresponds to the <em>other<\/em> virtual network it wants to access.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10-1024x569.webp\" alt=\" local networks configuration of the management portal\" class=\"wp-image-35608 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10-1024x569.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10-300x167.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10-768x427.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10.webp 1516w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-10-1024x569.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Next we need to configure the on-premises VPN device (mine is a Cisco ASA 5505), which is basically a matter of adding an access list from one virtual network to the other on both sides to your existing access list.&nbsp; For example, if the local on-premises network has a 192.168.1.0\/24 address space, and one of the virtual networks has a 10.5.0.0\/16 address space, then we would need an access list entry from the local network to the virtual network (which we typically would have already setup), and another access list entry from the 10.5.0.0\/16 virtual network to the 10.4.0.0\/16 virtual network, as seen below.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">access-list AzureAccess extended permit ip 192.168.1.0 255.255.255.0 10.4.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">access-list AzureAccess extended permit ip 10.5.0.0 255.255.0.0 10.4.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We then would do the same for 10.5.0.0\/16 virtual network, as seen below, creating an access list entry from the 10.4.0.0\/16 virtual network to the 10.5.0.0\/16 network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">access-list AzureAccess2 extended permit ip 192.168.1.0 255.255.255.0 10.5.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">access-list AzureAccess2 extended permit ip 10.4.0.0 255.255.0.0 10.5.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The next step would be to setup a NAT between these two \u201coutside\u201d networks, as seen below.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">object-group network VPN_OUT_AZ1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">network-object 10.4.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">object-group network VPN_OUT_AZ2<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">network-object 10.5.0.0 255.255.0.0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">nat (outside,outside) 1 source static VPN_OUT_AZ1 VPN_OUT_AZ1 destination static VPN_OUT_AZ2 VPN_OUT_AZ2 no-proxy-arp route-lookup<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thus each virtual network can access the other through the VPN gateway using DIP addresses (which is now equivalent to the <em>Subnets within a Single Virtual Network <\/em>scenario above), presuming no firewall rules prevent it.\u00a0 This may not be a desired scenario for some since networking traffic would travel back and forth through the hub, resulting in increased transaction costs and additional latency, but this may be an acceptable tradeoff for organizations that don\u2019t want to expose<em> any<\/em> external endpoints.\u00a0 Others might prefer to use public endpoints to make connections between two (or more) virtual networks, and may further secure public endpoints using IPsec and Group Policy Objects.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-11.webp\" alt=\"Diagram of connecting virtual networks\" class=\"wp-image-35609 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-11.webp\"><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"securing-end-to-end-network-communications-with-windows-firewall-ipsec\">Securing End-to-End Network Communications with Windows Firewall\/IPsec<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">With IPsec integration, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.&nbsp; Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As an example in the diagram below with two virtual networks, we see machine with DIP address 10.5.1.5 not joined to the on-premises domain with an IPsec certificate that can be configured by Windows Firewall with Advanced Security or through PowerShell to secure the machine.\u00a0 This would mean any machines that want to access protected ports would require an IPsec certificate as well.\u00a0 We also have two domain-joined machines, 10.4.1.6 and 10.5.1.4, that can be configured to require IPsec connections through Windows Firewall, PowerShell scripts, or Group Policy.\u00a0 So these machines can be fully protected regardless of whether accessed over internal DIP addresses or through public VIP addresses.\u00a0 For public VIP addresses, we would leverage the network ACLs feature to create a whitelist of allowed external IP addresses, where those external client machines would require an IPsec certificate.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-12.webp\" alt=\"Diagram of virtual networks \" class=\"wp-image-35610 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-12.webp\"><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"applying-ipsec-to-a-single-virtual-machine-manually\">Applying IPsec to a Single Virtual Machine Manually<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">In order to provide maximum protection for a virtual machine within a virtual network, Windows Firewall can be activated and configured initially to block all inbound connections.\u00a0 Then ports could be opened on an as-needed basis, adding IPsec in order to enforce secure connections and also encrypt those connections.\u00a0 To manually configure IPsec in Windows Server 2008 and later, you would launch Windows Firewall, select the Inbound Rules node, and then create a new rule, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-13.webp\" alt=\"New rule being set up in Windows Firewall\" class=\"wp-image-35611 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-13.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can then choose specific ports that you want secured with IPsec, as seen below.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next, you would specify that you want to secure connections to the desired port.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-14.webp\" alt=\"New rule being set up in Windows Firewall\" class=\"wp-image-35612 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-14.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After choosing the <strong>Customize\u2026<\/strong> button, you would specify your IPsec settings in the resulting dialog, as seen below.\u00a0 From here you would continue with the wizard and finally give your rule a name.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-15.webp\" alt=\"New rule being set up in Windows Firewall\" class=\"wp-image-35613 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-15.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you are interested in scripting IPsec configuration with PowerShell, you can learn more by following the link <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/hh831755.aspx\">here<\/a>.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"using-group-policy-in-a-domain-to-set-ipsec-policy-for-virtual-machines\">Using Group Policy in a Domain to set IPsec Policy for Virtual Machines<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">In a situation of virtual networks that are connected to on-premises networks through a VPN connection, computers in the virtual networks can join the on-premises domain.&nbsp; If joined to the on-premises domain, multiple computers can be configured by applying Group Policy with IPsec policies ensuring these computers are protected based on organizational policies.&nbsp; You can find out more about creating IPsec policies using Group Policy <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc730656.aspx\">here<\/a>, which we will walk through now.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From a domain controller, I want to apply specific policies to domain-joined servers in Windows Azure, so my first task will be to add these machines to their own OU named <strong>Azure Servers<\/strong>, as seen below.\u00a0 We will work with the virtual machine named <strong>canis-sql12-01<\/strong> for this walkthrough.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-16.webp\" alt=\"Virtual machine\" class=\"wp-image-35614 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-16.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Below is the current firewall state of the virtual machine canis-sql12-01.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-17.webp\" alt=\"Virtual machine\" class=\"wp-image-35615 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-17.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Back at the domain controller, I launch the Group Policy Management console from the<em>Administrative Tools<\/em> menu.\u00a0 I then expand out the domain, canisnetworks.com, select the Group Policy Objects node, and right-click it.\u00a0 I then select the <em>New<\/em> menu item, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-18.webp\" alt=\"Virtual machine\" class=\"wp-image-35616 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-18.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the <strong>New GPO<\/strong> dialog, I provide a descriptive name for the new GPO and select the <strong>OK<\/strong> button.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-19.webp\" alt=\"Virtual machine\" class=\"wp-image-35617 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-19.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">My GPO is now added to the list of GPO objects, so now I need to configure it by right-clicking and selecting the <em>Edit<\/em> menu item, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-20.webp\" alt=\"Virtual machine\" class=\"wp-image-35618 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-20.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The Group Policy Management Editor is now presented.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-21.webp\" alt=\"Virtual machine\" class=\"wp-image-35619 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-21.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019m going to add two GPOs as follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Turn the Domain Profile on.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Configure the SCOM monitoring port 5723 to be protected by IPsec.&nbsp; (I would then be able to monitor machines with this GPO is applied over an external IP address securely from an on-premises SCOM installation.)<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Below, I have expanded the Computer Configuration | Policies | Windows Settings tree and navigated to the Windows Firewall with Advanced Security node.\u00a0 I then select the <em>Windows Firewall Properties<\/em> link.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-22.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35620 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-22.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the dialog seen below, I change the firewall state for the Domain Profile from \u201cOff\u201d to \u201cOn (recommended)\u201d.\u00a0 I then select the <strong>OK<\/strong> button.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-23.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35621 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-23.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Below, we see the Domain Profile now has the Windows Firewall turned on.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-24.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35622 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-24.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I now expand the <em>Windows Firewall<\/em> node on the left-hand side and select the <em>Inbound Rules<\/em>node, as seen below.\u00a0 There are currently no rules so the list of rules is empty.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-25.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35623 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-25.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I right-click on the <em>Inbound Rules<\/em> node and select <em>New Rule\u2026<\/em> from the popup menu, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-26.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35624 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-26.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I perform the same manual steps with the <strong>New Inbound Rule Wizard<\/strong> as before when I created a rule on an individual machine to secure a port with IPsec.\u00a0 So below I choose a port rule.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-27.webp\" alt=\"graphical user interface\" class=\"wp-image-35625 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-27.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the <strong>Protocol and Ports<\/strong> wizard page, I enter the desired port.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-28.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35626 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-28.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the <strong>Action<\/strong> wizard page, I select the <em>Allow the connection if it is secure option<\/em> and then select the <strong>Customize\u2026<\/strong> button.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-29.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35627 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-29.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I leave the option to force authentication and integrity protection on the dialog to select security settings, as seen below.\u00a0 I then choose the <strong>OK<\/strong> button.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-30.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35628 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-30.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I now select the <strong>Next<\/strong> button and continue accepting the defaults for the <strong>Users<\/strong> and <strong>Computers<\/strong> wizard pages.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-31.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35629 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-31.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On the <strong>Profile<\/strong> wizard page, I select the Domain profile, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-32.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35630 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-32.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, I give the new inbound rule a name, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-33.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35631 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-33.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now that I\u2019m finished setting up the GPO, we now see the new inbound rule in the list of inbound rules in the Group Policy Management Editor.\u00a0 I then go ahead and close the editor, which returns me to the original Group Policy Management console.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35632 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-34-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we have our GPO setup, we need to link this GPO to our Azure servers OU.\u00a0 I now right-click on the Azure Servers OU and select <em>Link an Existing GPO\u2026<\/em> from the popup menu, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-35.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35633 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-35.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the <strong>Select GPO<\/strong> dialog, I go ahead and select my new GPO and then close the dialog.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-36.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35634 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-36.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now our GPO is associated with the Azure Servers OU, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-37.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35635 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-37.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now we will head back to our virtual machine (canis-sql12-01), apply the GPO, and verify that the GPO was applied.\u00a0 Below, from a command prompt, I enter the <strong>gpupdate \/force<\/strong> command.\u00a0 We can see below that the policy update has successfully completed.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-38.webp\" alt=\"graphical user interface\" class=\"wp-image-35636 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-38.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In order to verify that the GPO was applied, I then enter the <strong>gpresult \/r \/scope computer<\/strong>command, as seen below.\u00a0 As you can see, we have verified that the GPO has been applied.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-39.webp\" alt=\"text\" class=\"wp-image-35637 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-39.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now let\u2019s open Windows Firewall and verify both of our GPO objects there.\u00a0 From the Windows Firewall top-level node, we can verify that the Domain Profile windows firewall is on.\u00a0 Also, we see a notification that the firewall state does have Group Policy settings applied (specifically, in this case, for the Domain Profile).<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-40.webp\" alt=\"graphical user interface, text, application, email\" class=\"wp-image-35638 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-40.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now if we select the <em>Inbound Rules<\/em> node, we can verify that the IPSec inbound rule has been applied for port 5723, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-41.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35639 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-41.webp\"><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"limiting-outbound-internet-connections-from-virtual-machines\">Limiting Outbound Internet Connections from Virtual Machines<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">For obvious reasons, it is a common practice for enterprise customers to limit outbound internet access from servers, particularly back-end servers that contain sensitive data with medium or high business impact if shared outside the company.&nbsp; In the public cloud, this becomes more pronounced as the enterprise customer is already placing a great deal of trust in the cloud provider by even considering the cloud platform, and would not desire that security controls be any less robust than on-premises.&nbsp; Thankfully, since Windows Azure virtual machines as well as PaaS machines can be domain-joined and have Group Policy applied as we have just seen, the enterprise custom can use familiar techniques to protect their servers and also prevent their servers themselves from sharing sensitive information.&nbsp; In this walkthrough, I will demonstrate how to limit outbound internet connections from a virtual machine.&nbsp; I won\u2019t use Group Policy in this case, but it would be applied in the same manner as above for IPsec.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To begin, we\u2019ll start with my SQL Server virtual machine used in the previous section, as seen below.\u00a0 We have Windows Firewall with Advanced Security launched as seen previously after applying Group Policy.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42-1024x795.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35640 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-42-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This machine can currently access the internet, and can also access another on-premises SQL Server from SQL Server Management Studio.\u00a0 We want to limit the virtual machine to only be able to access the on-premises subnet as defined in our VPN configuration, which is 192.168.1.0\/24.\u00a0 I right-clicked on the top-level node to get the properties page, and noted that the outbound connections by default are allowed, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35641 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-43-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I change this to \u201cBlock\u201d, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35642 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-44-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And now, I can\u2019t gain access to my on-premises SQL Server or the internet, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45-1024x795.webp\" alt=\"graphical user interface, text, application, Word\" class=\"wp-image-35643 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-45-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I now click on the <em>Outbound Rules<\/em> node of Windows Firewall, right-click, and select <em>New Rule\u2026<\/em>from the popup menu.\u00a0 I choose a Custom rule on the <strong>Rule Type<\/strong> page of the <strong>New Outbound Rule Wizard<\/strong>, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35644 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-46-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On the <strong>Program<\/strong> page, I leave the defaults.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35645 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-47-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On the <strong>Protocol and Ports<\/strong> page, for my purposes I select the TCP protocol, as seen below.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next, we have the <strong>Scope<\/strong> page.\u00a0 I change the remote IP addresses option to \u201cThese IP addresses:\u201d, and then select the <strong>Add\u2026<\/strong> button.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48-1024x795.webp\" alt=\"graphical user interface, application, Word\" class=\"wp-image-35646 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-48-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the dialog presented, I specify my on-premises subnet as the only set of IP addresses that this virtual machine can access, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35647 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-49-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On the <strong>Action<\/strong> page, I choose the \u201cAllow the connection\u201d option.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35648 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-50-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Next we have the <strong>Profile<\/strong> page, where for my purposes I select only the Domain profile.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35649 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-51-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On the last <strong>Name<\/strong> page, I give the new rule the name \u201cOutbound Connections to On-Premises Subnet\u201d, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52-1024x795.webp\" alt=\"graphical user interface\" class=\"wp-image-35650 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-52-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">That completes the outbound rule wizard and I see my new rule below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53-1024x795.webp\" alt=\"graphical user interface, text, application\" class=\"wp-image-35651 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-53-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now I can connect to my on-premises SQL Server or any other server in the on-premises subnet, but I cannot connect to the internet, as desired.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54-1024x795.webp\" alt=\"graphical user interface, text, application, Word\" class=\"wp-image-35653 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-54-1024x795.webp\"><\/figure>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55-1024x795.webp\" alt=\"graphical user interface, text, application, Word\" class=\"wp-image-35654 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-55-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So we have effectively limited this virtual machine from accessing the internet.\u00a0 But now we can\u2019t access other machines in the Windows Azure environment either.\u00a0 This can be resolved by adding additional individual IP addresses or IP address ranges to the outbound rule we just created.\u00a0 For example, let\u2019s say I wanted to use SQL Server Management Studio on this virtual machine to access an Azure SQL Database server with the URL <strong>pcv94pjwnj.database.windows.net<\/strong>, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35655 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-56-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I ping the server and find its IP address, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35656 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-57-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I then add the individual IP address to my whitelist of remote IP addresses, as seen below.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58-1024x795.webp\" alt=\"graphical user interface, application\" class=\"wp-image-35657 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-58-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Subsequently, I can access the server.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59-1024x795.webp\" alt=\"graphical user interface, application, Word\" class=\"wp-image-35658 webp-format\" srcset=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59-1024x795.webp 1024w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59-300x233.webp 300w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59-768x596.webp 768w, https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59.webp 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-59-1024x795.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If I want to specify an IP address range from the Windows Azure platform, the list of Azure datacenter IP ranges can be downloaded from <a>here<\/a>.\u00a0 There are many ranges to choose from, so it is best to be selective and add only the entries that apply to the datacenters you actually use.\u00a0 I primarily use the US West datacenter, but still have some old database servers on US North, so in my example I could have added the following entries to allow the virtual machine to access all of US North.\u00a0 You can see the range below highlighted that contains my database server we just added to the outbound rule.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-60.webp\" alt=\"text\" class=\"wp-image-35659 webp-format\" data-orig-src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-60.webp\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So now you should be all set with respect to locking down virtual machine outbound access.&nbsp; Also note that periodically Azure address ranges do change, so these ranges should be checked every few months, or if suddenly an Azure resource at a whitelisted IP address is no longer available.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h6>\n\n\n\n<p class=\"wp-block-paragraph\">In this document, we examined a number of methods for securing IaaS virtual machines.&nbsp; Indeed, because the Windows Azure IaaS environment can be effectively configured as an extension of your on-premises network, you can take advantage of the familiarity of existing on-premises security constructs that are augmented in Windows Azure, allowing you to effectively secure virtual machines that you have deployed to Azure running enterprise applications.&nbsp; Network ACLs, virtual networks, and Windows Firewall with Advanced Security all work together to ensure robust security scenarios.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"references\">References<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Windows Azure Network Security Whitepaper<\/strong>: <a href=\"https:\/\/download.microsoft.com\/download\/4\/3\/9\/43902EC9-410E-4875-8800-0788BE146A3D\/Windows%20Azure%20Network%20Security%20Whitepaper%20-%20FINAL.docx\">https:\/\/download.microsoft.com\/download\/4\/3\/9\/43902EC9-410E-4875-8800-0788BE146A3D\/Windows%20Azure%20Network%20Security%20Whitepaper%20-%20FINAL.docx<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>About Network Access Control Lists (ACLs)<\/strong>:&nbsp;<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>How to Set Up Endpoints to a Virtual Machine<\/strong>:&nbsp; <a href=\"https:\/\/azure.microsoft.com\/en-us\/manage\/windows\/how-to-guides\/setup-endpoints\/\">https:\/\/azure.microsoft.com\/en-us\/manage\/windows\/how-to-guides\/setup-endpoints\/<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Network Access Control List Capability in Windows Azure<\/strong>:&nbsp; Powershell<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Setting an Endpoint ACL on a Windows Azure<\/strong>:&nbsp; VM https:\/\/convective.wordpress.com\/2013\/06\/08\/setting-an-endpoint-acl-on-a-windows-azure-vm\/<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012<\/strong>: <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/hh831807.aspx#BKMK_Step2\">https:\/\/technet.microsoft.com\/en-us\/library\/hh831807.aspx#BKMK_Step2<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Windows Firewall and IPsec Policy Deployment Step-by-Step Guide<\/strong>: <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/deploy-ipsec-firewall-policies-step-by-step%28v=WS.10%29.aspx\">https:\/\/technet.microsoft.com\/en-us\/library\/deploy-ipsec-firewall-policies-step-by-step%28v=WS.10%29.aspx<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Windows Firewall with Advanced Security Administration with Windows PowerShell<\/strong>:&nbsp; <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/hh831755.aspx\">https:\/\/technet.microsoft.com\/en-us\/library\/hh831755.aspx<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Windows Azure Datacenter IP Ranges<\/strong>:&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Ashwin Palekar<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Windows Azure Networking Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1457],"tags":[],"audience":[3056],"content-type":[1511],"product":[1602],"tech-community":[],"topic":[],"coauthors":[97],"class_list":["post-6071","post","type-post","status-publish","format-standard","hentry","category-networking","audience-it-implementors","content-type-best-practices","product-virtual-network","review-flag-1680286581-295","review-flag-1680286581-364","review-flag-1-1680286581-825","review-flag-2-1680286581-601","review-flag-3-1680286581-173","review-flag-4-1680286581-250","review-flag-5-1680286581-950","review-flag-6-1680286581-909","review-flag-9-1680286581-259","review-flag-black-1680286581-474","review-flag-lever-1680286579-649","review-flag-new-1680286579-546","review-flag-vm-1680286585-143","review-flag-white-1680286581-943"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-28T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-30T19:59:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1594\" \/>\n\t<meta property=\"og:image:height\" content=\"848\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Azure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Azure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"31 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Azure\"}],\"headline\":\"Network Isolation Options for Machines in Windows Azure Virtual Networks\",\"datePublished\":\"2014-03-28T00:00:00+00:00\",\"dateModified\":\"2024-07-30T19:59:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\"},\"wordCount\":4305,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp\",\"articleSection\":[\"Networking\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\",\"name\":\"Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp\",\"datePublished\":\"2014-03-28T00:00:00+00:00\",\"dateModified\":\"2024-07-30T19:59:15+00:00\",\"description\":\"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.webp\",\"width\":1594,\"height\":848},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Networking\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/networking\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Network Isolation Options for Machines in Windows Azure Virtual Networks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog","description":"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/","og_locale":"en_US","og_type":"article","og_title":"Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog","og_description":"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2014-03-28T00:00:00+00:00","article_modified_time":"2024-07-30T19:59:15+00:00","og_image":[{"width":1594,"height":848,"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.png","type":"image\/png"}],"author":"Microsoft Azure","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Microsoft Azure","Est. reading time":"31 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/","@type":"Person","@name":"Microsoft Azure"}],"headline":"Network Isolation Options for Machines in Windows Azure Virtual Networks","datePublished":"2014-03-28T00:00:00+00:00","dateModified":"2024-07-30T19:59:15+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/"},"wordCount":4305,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp","articleSection":["Networking"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/","name":"Network Isolation Options for Machines in Windows Azure Virtual Networks | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1-1024x545.webp","datePublished":"2014-03-28T00:00:00+00:00","dateModified":"2024-07-30T19:59:15+00:00","description":"Recently we published a Windows Network Security Whitepaper (download from here) that gives insights on how customers can take advantage of the platform\u2019s native features to best protect their\u2026","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#primaryimage","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/07\/image-1.webp","width":1594,"height":848},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/network-isolation-options-for-machines-in-windows-azure-virtual-networks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Networking","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/networking\/"},{"@type":"ListItem","position":3,"name":"Network Isolation Options for Machines in Windows Azure Virtual Networks"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/6071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=6071"}],"version-history":[{"count":0,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/6071\/revisions"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=6071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=6071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=6071"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=6071"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=6071"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=6071"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=6071"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=6071"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=6071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}