Network Security Groups (NSGs)

Azure Network Security Groups (NSGs) act as a basic firewall for virtual network resources. They enable you to filter network traffic to and from Azure resources in an Azure virtual network, subnet, and/or individual network interface.

Note: NSGs are stateful, meaning that if you allow inbound traffic on a port, return outbound traffic is automatically allowed, and vice-versa.

What are NSGs?

A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks. NSGs can be associated with:

  • Subnets: Rules apply to all resources within the subnet.
  • Network Interfaces (NICs): Rules apply to the specific resource attached to the NIC.

When an NSG is associated with both a subnet and a NIC, the rules from both are applied. The order of evaluation is NIC-level rules first, then subnet-level rules.

Security Rules

Each NSG contains security rules that permit or deny network traffic based on the following:

  • Priority: Rules are processed in order of priority, from lowest number to highest number.
  • Source/Destination: IP addresses, IP ranges, service tags, or application security groups.
  • Protocol: TCP, UDP, ICMP, or any.
  • Direction: Inbound or Outbound.
  • Port Ranges: Specific ports or ranges of ports.
  • Action: Allow or Deny.
NSG Rule Flow Diagram
Flow of traffic through Network Security Groups

Default Security Rules

When you create an NSG, it automatically comes with a set of default rules. These rules cannot be deleted but can be overridden by user-defined rules with higher priority.

  • VNetInbound: Allows all inbound traffic within the virtual network.
  • VNetOutbound: Allows all outbound traffic within the virtual network.
  • AllowVnetInbound: Allows inbound traffic from other Azure services within the virtual network.
  • AllowAzureLoadBalancerInbound: Allows inbound traffic from the Azure Load Balancer.
  • DenyAllInbound: Denies all inbound traffic from the internet.
  • AllowInternetOutbound: Allows all outbound traffic to the internet.

Key Concepts

Service Tags

Service tags represent a group of IP addresses from a given Azure service. Using service tags in NSG rules simplifies security management by abstracting away the complexity of managing individual IP addresses.

Examples include Storage, VirtualNetwork, and AzureCloud.

Application Security Groups (ASGs)

Application Security Groups allow you to group virtual machines and apply network security policies to those groups. This provides a more granular and manageable approach to security, especially in complex environments.

Stateful Filtering

NSGs are stateful. This means that if you create a rule to allow inbound traffic on a specific port, the return outbound traffic for that connection is automatically allowed. Conversely, if you deny inbound traffic, the return outbound traffic is denied.

Best Practices

  • Associate NSGs with subnets whenever possible for consistent security policies.
  • Use service tags and application security groups to simplify rule management.
  • Implement the principle of least privilege by denying all traffic by default and explicitly allowing only necessary traffic.
  • Organize rules logically using priority numbers.
  • Regularly review and audit your NSG rules.

Tip: For more complex scenarios or advanced network security features, consider Azure Firewall, which offers centralized policy management, threat intelligence, and more.

Explore the related sections for more detailed information on configuring and managing NSG rules, associating them with resources, and troubleshooting common issues.

Next Steps: