Operate the Firewalls

Posted on by Mike Denzien

This is step 5 of 7 of Hands-On Project 1 for both Azure and AWS. In this step, you learn to adjust the firewall settings which control access to your virtual machine from the public internet.

Back to Project

For a quick introduction to adding inbound port rules, let’s start with a couple of brief videos:

For Azure (3 minutes): https://www.youtube.com/watch?v=nof63k1mW8Q

For AWS: Note – A good, focused example exists but it is out of date. I am currently looking for a short intro video for AWS.

Why Would We Open More Ports?

Before opening additional firewall ports, we need to have a need to do so. You would normally open as few ports as possible from the public internet in order to keep your virtual machine reasonably secure. To fabricate a need to open a port, we will install the apache web server.

Connect to your virtual machine using Bitvise and open a terminal window, then install the apache2 package:

sudo apt install apache2

You can verify the installation by checking the status of the apache2 service:

sudo systemctl status apache2

You can also check whether apache is listening on port 80 with this:

sudo lsof -i -P -n | grep LISTEN

Accessing Apache Through the Browser

Once you are sure that apache is running, open your browser and try to access the web server on your VM. Assuming your IP address is 20.169.113.117, enter this on the browser’s address line:

http://20.169.113.117/

This may or may not display the Default page for apache. If you have never written an inbound port rule within this Azure account, the above will probably time out for lack of TCP port 80 being open on the virtual machine. If you have already opened port 80 (perhaps for another virtual machine on the same subnet), then the apache default page will be shown:

Write an Inbound Port Rule

Assuming you have never opened port 80 on a VM on this subnet, you will need to write an inbound port rule for port 80.

For Azure, follow these instructions:

  1. From the Azure Portal, please do the following:
  2. Navigate: Portal Home –> Virtual Machines –> select virtual machine –> Networking.
  3. The Networking page for this VM should be showing. Select Inbound port rules, then Add inbound port rule.
  4. For Service, select HTTP. This will fill in defaults for TCP, 80, Allow.
  5. For Priority, enter a value that puts the rule near the top of the inbound port rules. Often, a priority of 310 will be automatically filled in, and this often puts the new rule right behind the rule for SSH (priority 300).
  6. Enter a name of HTTP. This is easier to read than the name suggested.
  7. Click Add to save the rule.

For AWS, follow these instructions:

  1. From the Management Console, please do the following:
  2. Navigate: Console Home –> EC2 –> Instances –> select Instance ID of desired instance –> select Security tab –> click on security group ID under Security Groups –> select Inbound rules.
  3. Click Edit inbound rules. An editable rule page will be displayed.
  4. Click Add Rule. On the new rule, select HTTP for Type, then Anywhere-IPV4 for Source.
  5. Click Save Rules. The new rule will be saved, and the Inbound Rules list will be displayed.

Wait a few minutes to allow the inbound port rule to be deployed, then try to access apache again:

http://20.169.113.117/

If you did everything right, the apache default page will appear as above. If not, please review your work.

Remove an Inbound Port Rule

Now that we can access the web server on our VM from the public internet, let’s undo what we just did, to be sure we can close ports that no longer need to be open.

For Azure, follow these instructions:

  1. From the Azure Portal, please do the following:
  2. Navigate: Portal Home –> Virtual Machines –> select virtual machine –> Networking.
  3. The Networking page for this VM should be showing. Select Inbound port rules.
  4. On the row with the HTTP rule, click the ellipsis marks (…) at the right, then select Delete –> Yes.

For AWS, follow these instructions:

  1. From the Management Console, please do the following:
  2. Navigate: Console Home –> EC2 –> Instances –> select Instance ID of desired instance –> select Security tab –> click on security group ID under Security Groups –> select Inbound rules.
  3. Click Edit inbound rules. An editable rule page will be displayed.
  4. On the row with the HTTP rule, click Delete, then Save Rules.

Wait a few minutes to allow the deletion of the inbound port rule to be deployed, then try to access apache again. You the request should time out in the browser. If it does not time out, please review your work.