Network Security Groups (NSG)
A Network Security Group (NSG) is a fundamental component of Azure's networking services. It acts as a virtual firewall for your virtual machines (VMs) and other network resources, enabling you to control inbound and outbound network traffic at the network interface (NIC) or subnet level.
What is a Network Security Group?
An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNets). Each NSG consists of:
- Inbound Security Rules: Controls traffic coming into your Azure resources.
- Outbound Security Rules: Controls traffic going out from your Azure resources.
These rules are evaluated based on priority, with lower numbers indicating higher priority. When a match is found, the rule is applied, and processing stops.
Key Concepts
- Security Rules: The core of an NSG, defining the source, destination, protocol, and port for traffic, along with an action (Allow or Deny).
- Priority: A number from 100 to 4096, used to determine the order in which rules are processed.
- Stateful Filtering: NSGs are stateful. If you send a request from a protected resource, the response traffic is automatically allowed back in, regardless of outbound rules.
- Network Interface (NIC) Level: An NSG can be associated directly with a VM's network interface. This allows for granular control over traffic to a specific VM.
- Subnet Level: An NSG can be associated with an entire subnet within a VNet. All resources within that subnet will then be subject to the NSG's rules.
Creating and Managing NSGs
You can manage NSGs through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.
Using Azure CLI:
# Create a Network Security Group
az network nsg create --resource-group MyResourceGroup --name MyNSG
# Associate an NSG with a subnet
az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVNet --name MySubnet --network-security-group MyNSG
# Add an inbound security rule to allow SSH traffic (port 22)
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNSG --name AllowSSH --protocol Tcp --priority 100 --destination-port-range 22 --access Allow --direction Inbound
# Add an outbound security rule to deny all traffic to a specific IP range
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNSG --name DenySpecificOutbound --protocol '*' --priority 110 --destination-address-prefixes "192.168.1.0/24" --access Deny --direction Outbound
Important Considerations:
- By default, Azure creates two NSGs for each VNet: one for the subnet and one for the VM's NIC. These often contain default rules.
- The order of rules is crucial. A deny rule with a lower priority number will override an allow rule with a higher priority number if both apply to the same traffic.
- Always consider the "DenyAllInbound" and "DenyAllOutbound" default rules, which have the lowest priority (4096).
NSG Rule Priorities and Defaults
When you create an NSG, it comes with a set of default rules. These are processed first:
- AllowVNetInBound: Allows traffic from other VNets. (Priority 65000)
- AllowAzureLoadBalancerInBound: Allows Azure load balancer health probes to reach VMs. (Priority 65001)
- DenyAllInbound: Denies all inbound traffic not explicitly allowed by other rules. (Priority 65500)
- AllowVNetOutBound: Allows traffic to other VNets. (Priority 65000)
- DenyAllOutbound: Denies all outbound traffic not explicitly allowed by other rules. (Priority 65500)
You can define your custom rules with priorities ranging from 100 to 4096. Your custom rules are evaluated before the default rules.
Best Practice: It's generally recommended to associate NSGs at the subnet level for consistent security policies across resources. Associate NSGs at the NIC level only when you need specific exceptions for individual VMs.
Security Best Practices
- Least Privilege: Only allow the traffic that is absolutely necessary for your applications to function.
- Use Service Tags: Instead of IP addresses, use service tags to represent IP address prefixes of Azure services (e.g.,
AzureCloud,Storage). This simplifies management and ensures security as IP ranges change. - Regularly Review Rules: Periodically audit your NSG rules to ensure they are still relevant and effective.
- Logging: Enable NSG flow logs to monitor traffic and troubleshoot connectivity issues.