Network Security Groups (NSGs)

Introduction

Network Security Groups (NSGs) are a fundamental component of Azure networking, providing network security at the subnet or network interface (NIC) level. They act as a distributed firewall, allowing you to filter network traffic to and from Azure resources in an Azure virtual network (VNet).

NSGs contain a list of security rules that allow or deny network traffic based on source and destination IP address, port, and protocol. By default, NSGs are associated with resources to provide a secure network environment.

NSG Components

An NSG is composed of the following key components:

• Inbound Security Rules: Control traffic destined for resources within an Azure virtual network.
• Outbound Security Rules: Control traffic originating from resources within an Azure virtual network.
• Security Rule Priority: Rules are processed in order of priority, from lowest (100) to highest (4096).
• Protocol: Specifies whether the rule applies to TCP, UDP, ICMP, or Any protocol.
• Source/Destination: Can be IP addresses, CIDR blocks, service tags, or application security groups (ASGs).
• Source/Destination Port Range: The port or range of ports to which the rule applies.
• Action: Allow or Deny the traffic.

Security Rules

Security rules are the core of NSG functionality. Each rule has the following properties:

• Name: A unique, descriptive name for the rule.
• Priority: An integer between 100 and 4096. Lower numbers are processed first.
• Protocol: TCP, UDP, ICMP, Any.
• Source: Any, IP Addresses, Service Tag, Application Security Group.
• Source port ranges: The port or range of ports for the source.
• Destination: Any, IP Addresses, Service Tag, Application Security Group.
• Destination port ranges: The port or range of ports for the destination.
• Direction: Inbound or Outbound.
• Action: Allow or Deny.

There are also two default rules in every NSG:

• AllowVnetInbound (priority 65001): Allows all traffic within the virtual network.
• DenyAllInbound (priority 65500): Denies all inbound traffic except for the default rules.
• AllowVnetOutbound (priority 65001): Allows all outbound traffic within the virtual network.
• DenyAllOutbound (priority 65500): Denies all outbound traffic except for the default rules.

Rules are evaluated in order of priority. The first rule that matches the traffic determines whether it's allowed or denied.

Service Tags

Service tags represent a group of IP addresses from a given Azure service. Microsoft manages the IP addresses within the service tag and automatically updates the service tag as the addresses change. This simplifies NSG rule creation by allowing you to specify services like AzureCloud, Storage, or SQL instead of individual IP addresses.

You can use service tags as the source or destination in your NSG security rules.

NSG Association

An NSG can be associated with:

• A subnet: Rules apply to all network interfaces in the subnet.
• A network interface (NIC): Rules apply only to the specific NIC.

If an NSG is associated with both a subnet and a NIC, both sets of rules are applied. The inbound rules for the NIC are applied first, followed by the inbound rules for the subnet. The outbound rules for the subnet are applied first, followed by the outbound rules for the NIC.

Best Practices

• Start with a deny-all approach: Define specific allow rules and deny everything else.
• Use service tags: Simplify management of rules for Azure services.
• Utilize application security groups (ASGs): Group VMs with similar security needs and apply NSG rules to these groups.
• Organize rules by priority: Use logical numbering to make rules easy to understand and manage.
• Leverage subnet-level NSGs: Apply security policies at a broader level where appropriate.
• Regularly review NSG rules: Ensure they align with your current security posture.
• Avoid using the Any source/destination and Any port range: Be as specific as possible in your rules.