Network Security Groups (NSGs)

Azure Network Security Groups (NSGs) are a fundamental building block for network security in Azure. They allow you to define inbound and outbound security rules to filter network traffic to and from Azure resources in an Azure virtual network, as well as on-premises resources. NSGs act as a basic firewall at the network layer.

What is a Network Security Group?

An NSG contains a list of security rules that allow or deny network traffic. Each rule has:

Priority: Rules are processed in order of priority, from lowest number to highest.
Source/Destination: IP addresses, CIDR blocks, service tags, or application security groups.
Protocol: TCP, UDP, ICMP, or any.
Action: Allow or Deny.
Port: A range of ports.

Key Concepts

Security Rules

NSGs enforce security policies through security rules. There are two types of security rules:

Inbound security rules: Control traffic coming into your resources.
Outbound security rules: Control traffic leaving your resources.

Each NSG has default rules that are created automatically. You can override these defaults with your own custom rules.

Default Rules

When you create an NSG, it comes with the following default security rules:

AllowVNetInBound: Allows all traffic within the virtual network.
AllowAzureLoadBalancerInBound: Allows Azure load balancer probes to reach your VM.
DenyAllInBound: Denies all inbound traffic except for the first two rules.
AllowVnetOutBound: Allows all outbound traffic within the virtual network.
DenyAllOutBound: Denies all outbound traffic except for the first two rules.

Association

You can associate an NSG with:

A specific network interface (NIC).
A subnet within a virtual network.

If an NSG is associated with both a subnet and a NIC, the rules from both NSGs are applied. The rules are processed in the following order: Network Interface NSG rules, then Subnet NSG rules.

Use Cases

Restricting access to specific ports: Allowing only SSH (port 22) or RDP (port 3389) for management.
Segmenting network traffic: Creating different security zones for web servers, application servers, and databases.
Preventing unauthorized outbound connections: Blocking access to certain external services.
Enhancing security posture: Implementing a defense-in-depth strategy by layering NSGs with other Azure security services.

Creating and Managing NSGs

You can create and manage NSGs using the Azure portal, Azure PowerShell, Azure CLI, or ARM templates.

Example: Azure CLI to Create an NSG

az network nsg create --resource-group MyResourceGroup --name MyNsg

Example: Azure CLI to Add an Inbound Rule

az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name AllowHTTP --protocol tcp --priority 100 --destination-port-range 80 --access Allow --direction Inbound

Important: Rule priorities are crucial. Lower numbers are processed first. Be careful when defining deny rules, as they can unintentionally block legitimate traffic if not ordered correctly.

NSGs vs. Azure Firewall

While NSGs provide network layer filtering, Azure Firewall is a cloud-native, intelligent network firewall that protects your virtual network resources. Azure Firewall offers more advanced features like threat intelligence-based filtering, centralized logging, and application-level filtering.

Tip: For simpler scenarios, NSGs are sufficient. For more complex or centralized security requirements, consider Azure Firewall.

graph LR A[Client] -- HTTPS --> B(Internet); B -- Port 443 --> C(Azure Firewall); C -- Port 443 --> D(VNet); D -- Port 443 --> E(NSG - Allow HTTP); E -- Port 443 --> F(Web Server VM);

This diagram illustrates a common scenario where traffic first passes through Azure Firewall and then is subjected to NSG rules before reaching the VM.

Best Practices

Use service tags: Leverage service tags like AzureLoadBalancer and Internet for managing common IP address ranges.
Group similar resources: Use Application Security Groups (ASGs) to group VMs with the same port filtering requirements, making rules more readable and manageable.
Regularly review rules: Audit your NSG rules periodically to ensure they align with your security policies and remove any unnecessary or overly permissive rules.
Implement least privilege: Grant only the necessary permissions and access.

Learn about Azure Firewall Back to Virtual Networks