Merge pull request #237644 from mbender-ms/avnm-sec-admin-update

v-dirichards · web-flow · commit 89f53d70dc09 · 2023-06-23T10:47:51.000-05:00
virtual network manager - Update and refresh concept-security-admin.mddoc
diff --git a/articles/virtual-network-manager/concept-security-admins.md b/articles/virtual-network-manager/concept-security-admins.md
@@ -1,17 +1,17 @@
 ---
 title: 'Security admin rules in Azure Virtual Network Manager'
-description: Learn about what security admin rules are in Azure Virtual Network Manager.
+description: Learn about what security admin rules are in Azure Virtual Network Manager. Understand how they work and how traffic is evaluated along with network security groups.
 author: mbender-ms
 ms.author: mbender
 ms.service: virtual-network-manager
 ms.topic: conceptual
-ms.date: 03/22/2023
-ms.custom: template-concept, ignite-fall-2021
+ms.date: 05/10/2023
+ms.custom: template-concept, ignite-fall-2021, engagement-fy23
 ---
 
 # Security admin rules in Azure Virtual Network Manager
 
-Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a **security admin** configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Then you associate the rule collection with the network groups that you want to apply the security admin rules to. This article explains what security admin rules are and how they work.
+In this article, you'll learn about security admin rules in Azure Virtual Network Manager. Security admin rules are used to define global network security rules that apply to all virtual networks within a [network group](concept-network-groups.md). You learn about what security admin rules are, how they work, and when to use them.
 
 > [!IMPORTANT]
 > Azure Virtual Network Manager is generally available for Virtual Network Manager and hub and spoke connectivity configurations. 
@@ -20,66 +20,95 @@ Azure Virtual Network Manager provides two different types of configurations you
 > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-## Security admin rules
+## What is a security admin rule?
 
-A security admin rule allows you to enforce security policy on resources that match a rule's condition set. For example, you can define a security admin rule to block network traffic to virtual networks over a high-risk port such as Remote Desktop Protocol (RDP). These rules only apply to resources within the scope of the Azure Virtual Network Manager instance. For example, security admin rules don't apply to virtual networks not managed by a virtual manager instance.
+Security admin rules are global network security rules that enforce security policies defined in the rule collection on virtual networks. These rules can be used to Allow, Always Allow, or Deny traffic across virtual networks within your targeted network groups. These network groups can only consist of virtual networks within the scope of your network manager instance; thus, security admin rules cannot apply to virtual networks not managed by a network manager.
 
-### The order of evaluation
+Here are some scenarios where security admin rules can be used:
 
-Security admin rules are evaluated before network security rules. Depending on the type of security admin rule you create, they can interact differently with network security group rules.  When this happens, organizations can set enforced security policies alongside the teams' network security groups that address their own use cases. This diagram illustrates the order of evaluation of traffic.
+| **Scenario** | **Description** |
+| --- | --- |
+| **Restricting access to high-risk network ports** | Security admin rules can be used to block traffic on specific ports commonly targeted by attackers, such as port 3389 for Remote Desktop Protocol (RDP) or port 22 for Secure Shell (SSH). |
+| **Enforcing compliance requirements** | Security admin rules can be used to enforce compliance requirements. For example, blocking traffic to or from specific IP addresses or network blocks. |
+| **Protecting sensitive data** | Security admin rules can be used to restrict access to sensitive data by blocking traffic to or from specific IP addresses or subnets. |
+| **Enforcing network segmentation** | Security admin rules can be used to enforce network segmentation by blocking traffic between virtual networks or subnets. |
+| **Enforcing application-level security** | Security admin rules can be used to enforce application-level security by blocking traffic to or from specific applications or services. |
 
-:::image type="content" source="media/concept-security-admins/traffic-evaluation.png" alt-text="Diagram showing order of evaluation for network traffic with security admin rules and network security rules.":::
+With Azure Virtual Network Manager, you have a centralized location to manage security admin rules. Centralization allows you to define security policies at scale and apply them to multiple virtual networks at once.
+## How do security admin rules work?
 
-There are three kinds of actions – Allow, Always Allow, and Deny. If you create a security admin rule to *Allow* a certain type of traffic, this rule is evaluated first. When a security admin rule allows traffic, it's then evaluated by network security group rules. It leaves room for network security group rules down the line to handle this type of traffic differently as needed. If you create a security admin rule to *Always Allow* or *Deny* a certain type of traffic, the rule is evaluated first. Then it terminates the network security group evaluation of this traffic – meaning the evaluation is stopped. If the security admin rule is *Always Allow*, the traffic doesn't hit network security groups, and instead delivers directly to virtual machines or other resource. This action can be useful when administrators want to enforce traffic and prevent denial by network security group rules. For example, administrators may want to force the organization to consume software updates from certain ports. When *Deny* is used, evaluation and therefore traffic is stopped without being delivered to the destination. This means that you can use security admin rules to set definitive security rules that can't be overridden with other rules.
-Security admin rules don't depend on network security groups in order to exist. This means that administrators can use security admin rules to create default security rules. Even if application owners misconfigured or forgot to establish network security groups, your organization is protected by default!
+Security admin rules allow or deny traffic on specific ports, protocols, and source/destination IP prefixes in a specified direction. When you define a security admin rule, you specify the following conditions:
 
-> [!IMPORTANT]
-> When security admin rules are deployed, the eventual consistency model is used. This means that security admin rules will be eventually applied to the resources contained in a virtual network after a short delay.   Resources that are added to a virtual network that already has security admin rules applied on it will eventually receive those same security admin rules with a delay as well.
+- The priority of the rule
+- The action to be taken (allow, deny, or always allow)
+- The direction of traffic (inbound or outbound)
+- The protocol to be used
 
-### Management at scale
+To enforce security policies across multiple virtual networks, you [create and deploy a security admin configuration](how-to-block-network-traffic-portal.md). This configuration contains a set of rule collections, and each rule collection contains one or more security admin rules. Once created, you associate the rule collection with the network groups requiring security admin rules. The rules are then applied to all virtual networks contained in the network groups when the configuration is deployed. A single configuration provides a centralized and scalable enforcement of security policies across multiple virtual networks.
+### Evaluation of security admin rules and network security groups (NSGs)
 
-Azure Virtual Network Manager provides a way to manage your security policies at scale with security admin rules. When you apply a security admin configuration to a [network group](./concept-network-groups.md), a network group can contain dozens or hundreds of VNets, and all of the resources in the network groups’ scope have those security admin rules applied to them.
+Security admin rules and network security groups (NSGs) can be used to enforce network security policies in Azure. However, they have different scopes and priorities.
 
-New resources are protected along with existing resources. For example, if you add new VMs to a virtual network in the scope of a security admin rule, the VMs are automatically secured as well. Shortly after you deploy these VMs, security admin rules will be applied and protect them.
+Security admin rules are intended to be used by network admins of a central governance team, thereby delegating NSG rules to individual application or service teams to further specify security as needed. Security admin rules have a higher priority than NSGs and are evaluated before NSG rules.
 
-When new security risks are identified, you can deploy them at scale by creating a security admin rule to protect against the new risk and applying it to your network groups. Once this new rule is deployed, all resources in the scope of the network groups will be protected now and in the future.
+NSGs, on the other hand, are used to filter network traffic to and from individual subnets or network interfaces. They're intended to be used by individual application or service teams to further specify security as needed. NSGs have a lower priority than security admin rules and are evaluated after security admin rules.
 
+Security admin rules are currently applied at the virtual network level, whereas network security groups can be associated at the subnet and NIC level. This table shows these differences and similarities:
+
+| **Rule Type** | **Target Audience** | **Applied On** | **Evaluation Order** | **Action Types** | **Parameters** |
+| --- | ---- | ---- | ---- | ---- | ---- | 
+| **Security admin rules** | Network admins, central governance team | 	Virtual networks | 	Higher priority | 	Allow, Deny, Always Allow | 	Priority, protocol, action, source, destination |
+| **Network security group rules** | 	Individual teams | 	Subnets, NICs | Lower priority, after security admin rules | Allow, Deny | Priority, protocol, action, source, destination |
+
+Security admin rules can perform three actions on traffic: *Allow*, *Always Allow*, and *Deny*. If you create an *Allow* rule, it's evaluated first, followed by network security group rules. This action allows network security group rules to handle the traffic differently if needed. 
+
+If you create an *Always Allow* or *Deny* rule, traffic evaluation is terminated after the security admin rule is evaluated. With an *Always Allow* rule, the traffic goes directly to the resource and terminates further (and possibly conflicting) evaluation by NSG rules. This action can be useful for enforcing traffic and preventing denial by network security group rules. With a *Deny* rule, the traffic is stopped without being delivered to the destination. Security admin rules don't depend on NSGs, so they can be used to create default security rules on their own.
+
+:::image type="content" source="media/concept-security-admins/traffic-evaluation.png" alt-text="Diagram showing order of evaluation for network traffic with security admin rules and network security rules.":::
+
+By using security admin rules and NSGs together, you can enforce network security policies at both the global and individual levels, ensuring that your virtual networks are secure and compliant with your organization's security policies.
+
+> [!IMPORTANT]
+> When security admin rules are deployed, the eventual consistency model is used. This means that security admin rules will be eventually applied to the resources contained in a virtual network after a short delay.   Resources that are added to a virtual network that already has security admin rules applied on it will eventually receive those same security admin rules with a delay as well.
+
+## Benefits of security admin rules
+
+Security admin rules provide many benefits for securing your organization's resources. By using security admin rules, you can enforce allowed traffic and prevent denial by conflicting network security group rules. You can also create default security admin rules that don't depend on NSGs to exist. These default rules can be especially useful when application owners misconfigure or forget to establish NSGs. Additionally, security admin rules provide a way to manage security at scale, which reduces the operational overhead that comes with a growing number of network resources.
 
 ### Protect high-risk ports
 
 Based on the industry study and suggestions from Microsoft, we recommend customers restrict the traffic from outside using security admin rules for this list of high-risk ports. These ports are often used for the management of resources or unsecure/unencrypted data transmission and shouldn't be exposed to the internet. However, there are times when certain virtual networks and their resources need to allow traffic for management or other processes. You can create exceptions where needed. Learn how to [blocking high-risk ports with exceptions](how-to-block-high-risk-ports.md) for these types of scenarios.
 
-|Port |	Protocol | Description |
+| **Port** | **Protocol** | **Description** |
 | --- | ---- | ------- |
-|20| TCP |Unencrypted FTP Traffic | 
-|21| TCP |Unencrypted FTP Traffic | 
-|22| TCP |SSH. Potential brute force attacks | 
-|23| TCP  |TFTP allows unauthenticated and/or unencrypted traffic | 
-|69	| UDP | TFTP allows unauthenticated and/or unencrypted traffic | 
-| 111	| TCP/UDP | RPC. Unencrypted authentication allowed | 
-| 119| TCP |NNTP for unencrypted authentication | 
-| 135	| TCP/UDP | End Point Mapper, multiple remote management services | 
-| 161| TCP |SNMP for unsecure / no authentication | 
-| 162 | TCP/UDP | SNMP Trap - unsecure / no authentication | 
-| 445| TCP |SMB - well known attack vector | 
-| 512| TCP |Rexec on Linux - remote commands without encryption authentication | 
-| 514| TCP |Remote Shell - remote commands without authentication or encryption | 
-| 593	| TCP/UDP | HTTP RPC EPMAP - unencrypted remote procedure call | 
-| 873| TCP |Rsync - unencrypted file transfer | 
-| 2049 | TCP/UDP |	Network File System | 
-| 3389| TCP | RDP - Common brute force attack port | 
-| 5800| TCP | VNC Remote Frame Buffer over HTTP | 
-| 5900| TCP | VNC Remote Frame Buffer over HTTP | 
-| 11211	 | UDP	 | Memcached |
-
-## Security admin rules vs. network security groups
-
-Security admin rules are similar to network security group rules in structure and the parameters they intake, but they’re not the exact same construct. The first difference is intended audience. Admin rules are intended to be used by network admins of a central governance team. In this model, network security group rules are delegated to individual application or service teams to further specify security as needed. With these intentions, admin rules were designed to have a higher priority than network security groups and therefore be evaluated before network security group rules. Admin rules include another action type of *Always Allow*. This action allows the specified traffic through to its intended destination and terminates further (and possibly conflicting) evaluation by network security groups rules. Admin rules are also applied not only to a network group’s existing virtual networks but also to newly provisioned resources, as described in the previous section. Admin rules are currently applied at the virtual network level, whereas network security groups can be associated at the subnet and NIC level. This table shows these differences and similarities:
-
-| Rule Type | Target Audience | Applied On | Evaluation Order | Action Types | Parameters |
-| --- | ---- | ---- | ---- | ---- | ---- | 
-| **Security admin rules** | Network admins, central governance team | 	Virtual networks | 	Higher priority | 	Allow, Deny, Always Allow | 	Priority, protocol, action, source, destination |
-| **Network security group rules** | 	Individual teams | 	Subnets, NICs | Lower priority, after security admin rules | Allow, Deny | Priority, protocol, action, source, destination |
+| **20** | TCP | Unencrypted FTP Traffic | 
+| **21** | TCP | Unencrypted FTP Traffic | 
+| **22** | TCP | SSH. Potential brute force attacks | 
+| **23** | TCP | TFTP allows unauthenticated and/or unencrypted traffic | 
+| **69** | UDP | TFTP allows unauthenticated and/or unencrypted traffic | 
+| **111** | TCP/UDP | RPC. Unencrypted authentication allowed | 
+| **119** | TCP | NNTP for unencrypted authentication | 
+| **135** | TCP/UDP | End Point Mapper, multiple remote management services | 
+| **161** | TCP | SNMP for unsecure / no authentication | 
+| **162** | TCP/UDP | SNMP Trap - unsecure / no authentication | 
+| **445** | TCP | SMB - well known attack vector | 
+| **512** | TCP | Rexec on Linux - remote commands without encryption authentication | 
+| **514** | TCP | Remote Shell - remote commands without authentication or encryption | 
+| **593** | TCP/UDP | HTTP RPC EPMAP - unencrypted remote procedure call | 
+| **873** | TCP | Rsync - unencrypted file transfer | 
+| **2049** | TCP/UDP | Network File System | 
+| **3389** | TCP | RDP - Common brute force attack port | 
+| **5800** | TCP | VNC Remote Frame Buffer over HTTP | 
+| **5900** | TCP | VNC Remote Frame Buffer over HTTP | 
+| **11211** | UDP | Memcached |
+
+### Management at scale
+
+Azure Virtual Network Manager provides a way to manage your security policies at scale with security admin rules. When you apply a security admin configuration to a [network group](./concept-network-groups.md), a network group can contain dozens or hundreds of VNets, and all of the resources in the network groups’ scope have those security admin rules applied to them.
+
+New resources are protected along with existing resources. For example, if you add new VMs to a virtual network in the scope of a security admin rule, the VMs are automatically secured as well. Shortly after you deploy these VMs, security admin rules will be applied and protect them.
+
+When new security risks are identified, you can deploy them at scale by creating a security admin rule to protect against the new risk and applying it to your network groups. Once this new rule is deployed, all resources in the scope of the network groups will be protected now and in the future.
 
 ## Security admin fields
 
@@ -136,7 +165,8 @@ You can define specific common ports to block from the source or to the destinat
 | 80 | HTTP |
 | 443 | HTTPS |
 | 3389 | RDP |
+| 1433 | SQL |
 
 ## Next steps 
-
-Learn how to block network traffic with a [SecurityAdmin configuration](how-to-block-network-traffic-portal.md).
+> [!div class="nextstepaction"]
+> Learn how to block network traffic with a [Security admin configuration](how-to-block-network-traffic-portal.md).
