Let’s take a concrete example of Layer/Group/Rule
object relationship and management by examining the Network Security Group
(NSG) in the ACL Layer. Each NSG has a default group for Infrastructure rules,
which allows Intra-VNet traffic, outbound Internet connection, and load
balancer communication (health check, etc.). We can’t delete, add or modify
rules in this group. The second group has User Defined rules, which we can use
to allow/deny traffic flows based on our security policy. An NSG Rule consists
of Conditions and Actions. Condition defines the match policy using 5-tuple of
src-dst IP/Protocol/src-dst Ports. A Condition is associated with an Action for
matching data flows. In our example, we have an Inbound Infrastructure Rule with
Condition/Action that allows connection initiation from VMs within the VNet.
ACL layer control component is Security Controller. We use the Security Controller's Northbound API when we create or modify an NSG with Windows PowerShell or Azure GUI. Security Controllers, in turn, use a Southbound API to program
our intent to VFP via Host Agent.
The next post explains how VFP handles
outgoing/incoming data streams and creates Unified Flow Tables (UFT) from them
using the Header Transposition solution.
Figure 1-1: Overview of Virtual Filtering Platform (click to enlarge). |