Is it possible to restrict ingress and egress traffic between front end and back end Azure IaaS VMs strictly at the network level?

Question

I would like to create an extra-paranoid hub-and-spoke DMZ setup on Azure using IaaS VMs.

I have an public internet facing front end server (i.e. an IIS web server) that I'd like to severely lockdown. However, the front end requires access to some back end servers (i.e. a database, a domain controller, etc.). I want to ensure:

1. Only the front end server can talk to the back end servers, and only on agreed upon ports.
2. The back end servers cannot receive or send traffic from/to the public internet.
3. The back end servers cannot talk to each other.
4. These rules are enforced beyond the VM operating system layer to provide defense in depth.

This seems like a reasonable scenario, but I can't seem to achieve it on Azure. The closest I've been able to do is:

• Create an IaaS VM front end and restrict its endpoints appropriately
• Create an Azure Virtual Network with a "FrontEnd" and "BackEnd" subnets placing each machine on the appropriate subnets.
• Prevent RDP access to the back end VMs. If I want to RDP to the backend machines, I must do it through the front end VM.
• Setup Windows Firewall rules on each of these machines to enforce these hub-and-spoke style of rules.

This works ok but it's not as locked down as I'd like. I really want to have defense-in-depth so that I don't have to rely on Windows/Linux firewall settings on each machine. For example, let's say that a back end server must run an application with administrator credentials (assume there are no alternatives to this). I want an extra layer of protection such that a bug (or a malicious query) on the back end server could not:

• Reconfigure the back end's firewall to be less restrictive.
• Talk to anyone else but the front end machine (this includes the public internet).

As far as I can tell, this isn't possible on Azure using the Virtual Networking because:

• Azure Virtual Networks don't seem to expose ACLs or any other advanced filtering support.
• Azure IaaS VMs only support a single NIC and thus the front end can't be multihomed on both a front end and back end subnet.

Am I missing something? It seems like I might be able to hack something together using multiple virtual networks and VPN them together as a bunch of /30 subnets but that seems quite awful. If I can't figure this out on Azure it seems my only reasonable alternative is to try to setup something like this on AWS using Virtual Private Cloud (VPC). Any help/guidance would be appreciated.

Answer 1

I received a private answer from the Azure team that effectively said that this is not currently possible. It's a requested feature but there is no set timeline for its implementation.

Answer 2

As of Nov 2015 it's now possible to deliver what you're asking for, albeit in IaaS v2.

Firewall-like rules, limited to address ranges, ports and protocols can be delivered via Network Security Groups (NSGs). This is documented quite well on Microsoft's site: What is a Network Security Group (NSG)?

You can now also create VMs with multiple NICs (again, IaaS v2) however be aware that you may be required to increase your VM size in order to add more than one. Again, there's a reasonable article explaining it in detail here: Create a VM with multiple NICs