Microsoft Azure NSG

Overview

This integration allows for IP addresses to be dynamically managed within Azure Network Security Groups (NSGs), which are used by default as the inner firewalls protecting virtual machines. Other Azure assets (PaaS etc) are managed using separate Knocs.

Prerequisites

This utilizes the Azure CLI binary, which must be installed on the Agent machine.

For Debian, follow these steps:

# Update the list of packages
sudo apt-get update

# Install pre-requisite packages.
sudo apt-get install -y azure-cli

# Update it.
# If the version is significantly behind, you may need to install from Microsoft (see below)
az upgrade

# If you have any errors running, you may need to install from Azure directly
# do this if you get warnings or errors
#
#sudo apt remove azure-cli
#rm -rf ~/.azure
#curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Permissions in Azure

To interact with the Azure NSG - via the API - you need to first create a service principal and assign the limited permissions, as shown below:

Create a custom role (for limited NSG edit access)

Go to Azure Portal: https://portal.azure.com
Search for “Subscriptions” and select your subscription.
In the left menu, click “Access control (IAM)”.
Go to the “Roles” tab and click + Add > Add custom role.
Basics tab:
- Name: Knocknoc NSG Edit
- Description: Can read and edit rules in a Network Security Group.
Permissions tab:
- Click + Add permissions
- In the search box, type: networkSecurityGroups
- Add these permissions:
  - Microsoft.Network/networkSecurityGroups/read
  - Microsoft.Network/networkSecurityGroups/securityRules/read
  - Microsoft.Network/networkSecurityGroups/securityRules/write
  - Microsoft.Network/networkSecurityGroups/securityRules/delete
- Click Add
Assignable scopes tab:
- Click + Add assignable scope
- Select your resource group, or subscription if broader access is fine.
Review + create the custom role.

Create a Service Principal in Azure Portal

1. Go to the Azure Portal

Visit: https://portal.azure.com

2. Search for “App registrations”

In the top search bar, type App registrations and select it.

3. Click “+ New registration”

Name: Knocknoc-NSG-Editor (or anything you prefer)
Supported account types: Leave as "Single tenant" (default)
Redirect URI: Leave blank (not needed for non-interactive apps)

Click Register

4. Go to “Certificates & secrets”

Click + New client secret
Give it a name like NSG-Edit-Automation
Set expiration (e.g., 24 months)
Click Add

Copy the generated secret value immediately — you won’t be able to retrieve it later.

5. Find Application (client) ID

In the Overview tab of your app registration:
- Copy the Application (client) ID
- Also copy the Directory (tenant) ID

6. Assign the Custom Role (Knocknoc NSG Edit)

Go to your Resource Group (or subscription) where the NSG lives.
Click Access control (IAM).
Click + Add > Add role assignment
Choose:
- Role: Knocknoc NSG Edit (or your custom role name)
- Assign access to: User, group, or service principal
- Select: Find and select your registered app (Knocknoc-NSG-Editor)

Click Save

Configuring the Knoc

Using the Knocknoc Admin panel, select the Firewalls, Active, then Azure NSG option.

Note the Azure CLI binary must be installed on the agent machine, and running a recent version. See below.

You need these values:

Username (service principal account, which we configured earlier)
Password (for the service principal above)
Tenant ID (copied from the App Registration "Directory (tenant) ID", also found as the "Parent management group" on the Subscription page)

For the relevant NSG, you need these values:

Resource group and existing NSG name
Port and Protocol
Direction (Inbound or Outbound)

Errors

If you experience any errors back from the Azure CLI, you may need to upgrade from Microsoft directly instead of using your operating-system package.

# If you have any errors running, you may need to install from Azure directly
# do this if you get warnings or errors
sudo apt remove azure-cli
rm -rf ~/.azure
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Use Cases (overview)

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

VPN and Ransomware

High security subnets and JIT network access

Financial services data partner, secure web upload

Web applications (layer-7 filtering)

Remote Desktop, simple small business example

Firewall Manager access (IT MSP)

Ivanti Connect Secure

Video

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Knocker - a cli utility for agents

Create Users

Create Groups

Admins

Settings

Updates and Upgrades

IPSet (Linux Netfilter/IPTables)

Fortigate Address Groups (Fortinet)

Palo Alto

Juniper SRX

Allowlist (EDLs)

Cisco (SFMC/Firepower)

HAProxy

Microsoft Entra

Microsoft Azure NSG

IPsets with UFW

IPsets with Shorewall

Custom Script

AWS (EC2) Security Groups

AWS WAF Ipset

Mikrotik RouterOS

Nginx

Apache Webserver

Local Authentication (MFA included)

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

Grant and Revoke process

Click to Grant/Revoke

Additional client IP addresses

LOOTOTL - Last One Out Turn Off The Lights

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

Debugging & log levels

Microsoft Azure NSG

Overview

Prerequisites

Permissions in Azure

Create a custom role (for limited NSG edit access)

Create a Service Principal in Azure Portal

Configuring the Knoc

Errors