You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Tag based network security groups in Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
26
+
27
+
::: zone-end
28
+
15
29
This article describes how to configure network security groups with network security tags in Windows Admin Center.
16
30
17
31
With network security tags, you can create custom user-defined tags, attach those tags to your virtual machine (VM) network interfaces, and apply network access policies (with network security groups) based on these tags.
18
32
19
-
<!--Refactored the following section. Please review.-->
33
+
## Prerequisites
34
+
35
+
Complete the following prerequisites to use network security groups with tags:
36
+
37
+
:::zone pivot="azure-stack-hci"
38
+
39
+
- You have Azure Stack HCI 22H2 or later installed on your cluster. For more information, see how to [Install the Azure Stack HCI, version 23H2 operating system](../deploy/deployment-install-os.md).
40
+
41
+
- You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
42
+
43
+
- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
44
+
45
+
- You have a VM to apply a network security group to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
46
+
47
+
- You have administrator permissions or equivalent to the cluster nodes and network controller.
48
+
49
+
::: zone-end
50
+
51
+
:::zone pivot="windows-server"
52
+
53
+
- You have Windows Server 2025 or later. For more information, see [Get started with Windows Server](/windows-server/get-started/get-started-with-windows-server).
54
+
55
+
- You have Network Controller installed. For more information, see how to [Deploy an SDN infrastructure using SDN Express](sdn-express.md?context=/windows-server/context/windows-server-edge-networking).
56
+
57
+
- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
58
+
59
+
- You have a VM to apply a network security group to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
60
+
61
+
- You have administrator permissions or equivalent to the cluster nodes and network controller.
62
+
63
+
::: zone-end
64
+
20
65
## Simplify security with network security tags
21
66
22
67
Network security groups allow you to configure access policies based on network constructs like network prefixes and subnets. For example, if you want to restrict communication between your Web Server VMs and database VMs, you must identify corresponding network subnets and create a policy to deny communication between those subnets. However, there are some limitations with this approach:
@@ -25,9 +70,9 @@ Network security groups allow you to configure access policies based on network
25
70
26
71
- When building policies for applications, you might want to reuse them across different scenarios. For example, if your production web app can only be reached over port 80 from the internet, and can't be reached by other apps in production or other environments, you'd have a similar policy for any new app. However, with network segmentation, recreating policies becomes necessary due to unique network elements for each app.
27
72
28
-
- If you decommission an old application and provision a new one within the same network segment, policy adjustments are required.
73
+
- If you decommission an old application and deploy a new one within the same network segment, policy adjustments are required.
29
74
30
-
With the network security tags feature, you no longer need to track the network segments where your applications are hosted. This simplifies policy management and avoids the complexities associated with network constructs. Let's reconsider the example with Web Server and database VMs: Tag the corresponding VMs with "Web" and "Database" network security tags, then create a rule to restrict communication between "Web" and "Database" tags.
75
+
With network security tags, you no longer need to track the network segments where your applications are hosted. Network security tags simplify policy management and avoid the complexities associated with network constructs. Let's reconsider the example with Web Server and database VMs: Tag the corresponding VMs with "Web" and "Database" network security tags, then create a rule to restrict communication between "Web" and "Database" tags.
31
76
32
77
## Create network security tag based network security groups
33
78
@@ -131,7 +176,7 @@ After you create a network security group, you're ready to create network securi
131
176
| ----- | ----------- |
132
177
|**Name**| Name of the rule. |
133
178
|**Priority**| Priority of the rule. Acceptable values are **101** to **65000**. A lower value denotes a higher priority. |
134
-
|**Types**| Type of the rule. This can be **Inbound** or **Outbound**. |
179
+
|**Types**| Type of the rule. This rule type can be **Inbound** or **Outbound**. |
135
180
|**Protocol**| Protocol to match either an incoming or outgoing packet. Acceptable values are **All**, **TCP** and **UDP**. |
136
181
|**Source**| Select **Network Security Tag**.<br><br>**Note:** You can either select an address prefix or a network security tag but not both. |
137
182
|**Source Security Tag Type**| (Optional) Select a type for the tag. |
@@ -150,11 +195,24 @@ After you create a network security group, you're ready to create network securi
### Apply network security group to a network security tag
159
217
160
218
When you apply a network security group to a network security tag, the network security group rules apply to all VM network interfaces that are associated with that network security tag.
@@ -179,6 +237,17 @@ To apply a network security group to a network security tag via Windows Admin Ce
179
237
180
238
For related information, see also:
181
239
240
+
:::zone pivot="azure-stack-hci"
241
+
182
242
-[What is Datacenter Firewall?](../concepts/datacenter-firewall-overview.md)
183
243
-[Configure network security groups with Windows Admin Center](use-datacenter-firewall-windows-admin-center.md)
184
244
-[Configure network security groups with PowerShell](use-datacenter-firewall-powershell.md)
245
+
246
+
::: zone-end
247
+
:::zone pivot="windows-server"
248
+
249
+
-[What is Datacenter Firewall?](../concepts/datacenter-firewall-overview.md?context=/windows-server/context/windows-server-failover-clustering)
250
+
-[Configure network security groups with Windows Admin Center](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering)
251
+
-[Configure network security groups with PowerShell](use-datacenter-firewall-powershell.md?context=/windows-server/context/windows-server-failover-clustering)
0 commit comments