This is multipart project overview. The brief here was to create a high level design for a virtual datacentre in Azure for a company looking to move the contents of a datacentre and few other sites with On-premise server infrastructure to the cloud.
Part Three goes through the Virtual Network elements of the design
All code and documentation is available at https://github.com/jmattmacd/AzureVirtualDatacentre
Part One – Overview and Scoping
Part Two – General Azure Resources
Part Three – Network Resources
Part Four – Server Infrastructure Resources
The network components consit of a single virtual network split into tier-specif subnets with NSGs controlling connections between tiers
Virtual Network and Subnets
An Azure virtual network called JMM_Vnet01 is created in the resource group. It will have an IP Scope of 10.$IP.0.0/16.
Multiple infrastructure subnets are created in this VNet
| ManagementSubnet | 10.$IP.200.0/24 |
| WebSubnet | 10.$IP.10.0/24 |
| BusinessSubnet | 10.$IP.20.0/24 |
| DataSubnet | 10.$IP.30.0/24 |
| MigrationSubnet | 10.$IP.0.0/24 |
| InfrastructureSubnet | 10.$IP.190.0/24 |
A second virtual network called JMM_DMZ_VNet is created in the resource group. It will have an IP Scope of 172.16.0.0/24 and a single subnet for the whole range. This can be changed as required on an application by application basis in conjunction with the design, build and configuration of the network virtual appliances/firewalls (Out of Scope)
The code to build this component is: [02] – Create Virtual Network and Subnets.ps1
# connect-azurermaccount
New-AzureRmVirtualNetwork -Name JMM_VNet01 -ResourceGroupName "JMM_RG01" -Location UKSouth -AddressPrefix "10.$IP.0.0/16"
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name ManagementSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.200.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name WebSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.10.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name BusinessSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.20.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name DataSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.30.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name MigrationSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.0.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name InfrastructureSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.190.0/24' |Set-AzureRmVirtualNetwork
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name DMZSubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.254.0/24' |Set-AzureRmVirtualNetwork
$vnet = New-AzureRmVirtualNetwork -Name JMM_DMZ_VNet -ResourceGroupName "JMM_RG01" -Location UKSouth -AddressPrefix "172.16.0.0/24"
Add-AzureRmVirtualNetworkSubnetConfig -Name DMZSubnetPublic -VirtualNetwork $vnet -AddressPrefix '172.16.0.0/24' |Set-AzureRmVirtualNetwork
Gateway Subnet
A gateway subnet containing the reserved IP Addresses [10.$IP.255.0/27] for the virtual network gateway is created as JMM_GatewaySubnet: [03] – Create Gateway Subnet.ps1
# connect-azurermaccount
$vnet = Get-AzureRmVirtualNetwork -name JMM_VNet01 -ResourceGroupName JMM_RG01
Add-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix '10.$IP.255.0/27' |Set-AzureRmVirtualNetwork Virtual Network VPN Gateway
A virtual network gateway is deployed to end point vpn(s) from on premise networks. This is likely to be replaced/augmented/upgraded to a virtual network appliance as the Azure estate grows,
The endpoint as per this design uses a basic gateway solution and dynamic external IP to reduce costs during implementation/scale out phases.
[04] – Create Virtual Network VPN Gateway.ps1
Local VPN Gateway
This defines the local (on-premise) side of the VPN into the Azure cloud solution. As per the scoping of this design what is presented is a simplified example configuration – the full network requirements are out of scope.
This is an example command $LocalExtAddress must be replaced with the external IP of the on premise VPN gateway device. $AddressPrefix should be replaced with the addresses (CIDR formatted) which should be routed back through the gateway from Azure. [05] – Create Local Network VPN Gateway.ps1
# connect-azurermaccount
New-AzureRMLocalNetworkGateway -Name OnPremiseGateway -ResourceGroupName JMM_RG01 -Location UKSouth -GatewayIpAddress ‘$LocalExtAddress’ -AddressPrefix ‘$AddressPrefix’Site-to-Site Connector
As per the design an IPSec VPN connector is created on the Virtual Network Gateway to connect the Virtual Network Gateway and the Local VPN gateway defined previously.
This will use a preshared key which will be rotated regularly.
There is an included temporary pre-shared key which much be changed when building any live resources.
[06] – Create Site-to-Site VPN Connection.ps1
# connect-azurermaccount
# CHANGE THE PSK!
$gateway = Get-AzureRMVirtualNetworkGateway -Name JMM_VNet01Gateway -ResourceGroupName JMM_RG01
$local = Get-AzureRMLocalNetworkGateway -Name OnPremiseGateway -ResourceGroupName JMM_RG01
New-AzureRMVirtualNetworkGatewayConnection -Name JMM_VNNet01ToONPrem -ResourceGroupName JMM_RG01 -Location UKSouth -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123' Network Security Groups
The connectivity between subnets is controlled by network security groups.
Each tier subnet has a single network security group for global control of communication between tiers. Individual resources can also have their own NSG to provide further security as necessary however this in envisaged as unlikely and out of scope for this design.
The default allow rules are noted below, they can be changed instantly by editing the associated NSG. All other ports and connections are denied.
No application allow rules have been allowed in the Business Tier as these will be created as application are deployed.
An Allow rule for default SQL ports has been created in the Data Tier, this is illustrative of the capabilities rather than operational.
| Network Security Group | From | To | Port/Service |
| ManagementNSG | LoadBalancerProbe | Management Tier | * |
| ManagementNSG | Any | Management Tier | RDP TCP3389 |
| WebNSG | LoadBalancerProbe | Web Tier | * |
| WebNSG | Management Tier | Web Tier | RDP TCP3389 |
| WebNSG | Any | Web Tier | HTTP TCP80 |
| WebNSG | Any | Web Tier | HTTPS TCP443 |
| BusinessNSG | LoadBalancerProbe | Web Tier | * |
| BusinessNSG | Management Tier | Web Tier | RDP TCP3389 |
| InfrastructureNSG | LoadBalancerProbe | Infrastructure Tier | * |
| InfrastructureNSG | Management Tier | Infrastructure Tier | RDP TCP3389 |
| InfrastructureNSG | * | Infrastructure Tier | RPC Endpoint TCPUDP135 |
| InfrastructureNSG | * | Infrastructure Tier | LDAP TCPUDP389 |
| InfrastructureNSG | * | Infrastructure Tier | LDAP SSL TCP636 |
| InfrastructureNSG | * | Infrastructure Tier | LDAP GC TCP3268 |
| InfrastructureNSG | * | Infrastructure Tier | LDAP GCSSL TCP3269 |
| InfrastructureNSG | * | Infrastructure Tier | KERB TCPUDP88 |
| InfrastructureNSG | * | Infrastructure Tier | DNS TCPUDP53 |
| InfrastructureNSG | * | Infrastructure Tier | SMB TCPUDP445 |
| InfrastructureNSG | * | Infrastructure Tier | DFSR SYSVOL TCP5722 |
| InfrastructureNSG | * | Infrastructure Tier | WIN TIME UDP123 |
| InfrastructureNSG | * | Infrastructure Tier | KERB PW TCPUDP464 |
| InfrastructureNSG | * | Infrastructure Tier | DFS GP UDP138 |
| InfrastructureNSG | * | Infrastructure Tier | NETLOGON UDP137 |
| InfrastructureNSG | * | Infrastructure Tier | NETLOGON TCP139 |
The code to create these NSGs is below: [07] – Create NSGs.ps1
# connect-azurermaccount
$nsg = New-AzureRmNetworkSecurityGroup -Name ManagementNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name ManagementSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLoadBalancer -Description "Allows Azure Probe" -Access Allow -Protocol * -Priority 4095 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRDP -Description "Allows RDP from any Subnet" -Access Allow -Protocol TCP -Priority 1024 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Block_VNet1 -Description "Blocks Subnet to Subnet Traffic" -Access Deny -Protocol * -Priority 4096 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix VirtualNetwork -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg = New-AzureRmNetworkSecurityGroup -Name WebNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name WebSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowHTTPS -Description "Allows HTTPS traffic" -Access Allow -Protocol TCP -Priority 1022 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 443 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowHTTP -Description "Allows HTTP traffic" -Access Allow -Protocol TCP -Priority 1023 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 80 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLoadBalancer -Description "Allows Azure Probe" -Access Allow -Protocol * -Priority 4095 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRDP -Description "Allows RDP from Management Tier" -Access Allow -Protocol TCP -Priority 1024 -SourceAddressPrefix 10.$IP.200.0/24 -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Block_VNet1 -Description "Blocks Subnet to Subnet Traffic" -Access Deny -Protocol * -Priority 4096 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix VirtualNetwork -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg = New-AzureRmNetworkSecurityGroup -Name BusinessNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name BusinessSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLoadBalancer -Description "Allows Azure Probe" -Access Allow -Protocol * -Priority 4095 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRDP -Description "Allows RDP from Management Tier" -Access Allow -Protocol TCP -Priority 1024 -SourceAddressPrefix 10.$IP.200.0/24 -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Block_VNet1 -Description "Blocks Subnet to Subnet Traffic" -Access Deny -Protocol * -Priority 4096 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix VirtualNetwork -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg = New-AzureRmNetworkSecurityGroup -Name DataNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name DataSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowSQL -Description "Allows SQL from Business Tier" -Access Allow -Protocol TCP -Priority 1023 -SourceAddressPrefix 10.$IP.20.0/24 -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 1433 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLoadBalancer -Description "Allows Azure Probe" -Access Allow -Protocol * -Priority 4095 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRDP -Description "Allows RDP from Management Tier" -Access Allow -Protocol TCP -Priority 1024 -SourceAddressPrefix 10.$IP.200.0/24 -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Block_VNet1 -Description "Blocks Subnet to Subnet Traffic" -Access Deny -Protocol * -Priority 4096 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix VirtualNetwork -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg = New-AzureRmNetworkSecurityGroup -Name MigrationNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name MigrationSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg = New-AzureRmNetworkSecurityGroup -Name InfrastructureNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name InfrastructureSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRPC -Description "Allows RPC Endpoint mapper" -Access Allow -Protocol * -Priority 1023 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 135 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLDAP -Description "Allows LDAP" -Access Allow -Protocol * -Priority 1022 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLDAPSSL -Description "Allows LDAP SSL" -Access Allow -Protocol TCP -Priority 1021 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 636 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLDAPGC -Description "Allows LDAP GC" -Access Allow -Protocol TCP -Priority 1020 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3268 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLDAPGCSSL -Description "Allows LDAP GC SSL" -Access Allow -Protocol TCP -Priority 1019 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3269 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowKerb -Description "Allows Kerberos" -Access Allow -Protocol * -Priority 1018 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 88 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowDNS -Description "Allows DNS" -Access Allow -Protocol * -Priority 1017 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 53 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowSMB -Description "Allows SMB" -Access Allow -Protocol * -Priority 1016 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 445 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowDFSR -Description "Allows DFSR SYSVOL" -Access Allow -Protocol TCP -Priority 1015 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 5722 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowWTIME -Description "Allows WIN TIME" -Access Allow -Protocol UDP -Priority 1014 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 123 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowKerbPW -Description "Allows Kerberos PW" -Access Allow -Protocol * -Priority 1013 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 464 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowDFSGP -Description "Allows DFS GP" -Access Allow -Protocol UDP -Priority 1012 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 138 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowNETLOGONUDP -Description "Allows NETLOGON UDP" -Access Allow -Protocol UDP -Priority 1010 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 137 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowNETLOGONTCP -Description "Allows NETLOGON TCP" -Access Allow -Protocol TCP -Priority 1009 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 139 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowLoadBalancer -Description "Allows Azure Probe" -Access Allow -Protocol * -Priority 4095 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name AllowRDP -Description "Allows RDP from Management Tier" -Access Allow -Protocol TCP -Priority 1024 -SourceAddressPrefix 10.$IP.200.0/24 -SourcePortRange * -DestinationAddressprefix * -DestinationPortRange 3389 -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Block_VNet1 -Description "Blocks Subnet to Subnet Traffic" -Access Deny -Protocol * -Priority 4096 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressprefix VirtualNetwork -DestinationPortRange * -Direction Inbound | Set-AzureRmNetworkSecurityGroup
$nsg = New-AzureRmNetworkSecurityGroup -Name DMZNSG -ResourceGroupName JMM_RG01 -Location UKSouth
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName JMM_RG01 -Name JMM_VNET01
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -name DMZSubnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet 