1

Access to Azure VMs are controlled by the "Network Security Group" (NSG) settings. I am in the process of setting up a Linux VM with a public IP on Azure and would like to know whether the NSG settings are sufficient to protect my VM, or do I need to enable UFW in addition?

To me it seems that having both the NSG and UFW are like "wearing belt and suspenders". However, I would like to know the opinion of people more experienced like me before I give up the belt (or the suspenders :-) ).

András Aszódi
  • 291
  • 3
  • 9

2 Answers2

1

I always prefer to have defense in depth. The belt-and-suspenders combo is good if there's a chance somebody will misconfigure one or the other over the lifetime of the server - and you know there is.

Of course it adds the requirement that the people working on deployment scripts are aware of the multiple layers that need to be configured.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
  • Thank you, I like the "defense in depth" argument. Since I plan to keep only a few ports open anyway, it's not that much work to configure them both in the NSG and in the firewall app of the VM. – András Aszódi Mar 07 '20 at 16:30
1

If you plan to implement something like fail2ban to protect from malicious brute force attacks, you'll need a firewall (iptables, ufw or other) on the VM guest. fail2ban works by monitoring the logs of your public services and modifying local VM firewall rules to block bad actors.

Larry Silverman
  • 567
  • 6
  • 13