Understanding and configuring inbound and outbound security rules for Azure resources.
Introduction to NSG Rules
Network Security Groups (NSGs) act as a network security firewall for your Azure resources. They enable you to filter network traffic to and from Azure resources in an Azure virtual network, as well as network virtual appliances. NSGs contain a list of security rules that allow or deny network traffic based on criteria such as source IP address, source port, destination IP address, destination port, and protocol.
Key Concepts
- Rules: The fundamental building blocks of an NSG. Each rule defines a specific traffic flow to be allowed or denied.
- Priority: Rules are evaluated in order of their priority number, starting from the lowest number (0) to the highest (4096).
- Action: For each rule, you can specify whether to Allow or Deny the traffic.
- Direction: Rules can be applied to Inbound traffic (coming into a subnet or NIC) or Outbound traffic (leaving a subnet or NIC).
- Protocol: Specify the network protocol (e.g., TCP, UDP, ICMP, Any).
- Source/Destination: Define the IP addresses or address ranges (CIDR notation) for the traffic.
- Source/Destination Port Ranges: Specify the port numbers or ranges for the traffic.
Inbound Security Rules
Inbound security rules control traffic coming from the internet or other Azure resources into your virtual network or specific resources like Virtual Machines.
Allow SSH Access
Direction: Inbound
Priority: 100
Protocol: TCP
Source: Any
Source Port: *
Destination: Any
Destination Port: 22
Action: Allow
Description: Allows inbound SSH traffic to any resource on port 22.
Deny HTTP Access
Direction: Inbound
Priority: 200
Protocol: TCP
Source: Any
Source Port: *
Destination: Any
Destination Port: 80
Action: Deny
Description: Blocks all inbound HTTP traffic on port 80.
Note: Azure NSGs have default inbound rules. For example, there's usually a default rule to deny all inbound traffic not explicitly allowed. Always review and configure rules carefully.
Outbound Security Rules
Outbound security rules control traffic leaving your virtual network or specific resources and going to the internet or other Azure resources.
Allow Internet Access
Direction: Outbound
Priority: 100
Protocol: Any
Source: Any
Source Port: *
Destination: Internet
Destination Port: *
Action: Allow
Description: Allows all outbound traffic to the internet.
Deny Specific Outbound Port
Direction: Outbound
Priority: 150
Protocol: TCP
Source: Any
Source Port: *
Destination: Any
Destination Port: 445
Action: Deny
Description: Blocks outbound SMB traffic on port 445.
Note: A default outbound rule usually allows all outbound traffic to the internet. You can override this by creating more specific deny rules with higher priority.
Best Practices
- Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
- Use Specific IP Ranges: Avoid using 'Any' for source or destination IP addresses where possible.
- Meaningful Priorities: Organize rules logically using priority numbers (e.g., 100 for critical allows, 4000+ for specific denies).
- Leverage Service Tags: Use Azure service tags (e.g.,
VirtualNetwork, AzureLoadBalancer) to represent IP address groups of Azure services.
- Regular Review: Periodically review your NSG rules to ensure they align with your security requirements and are not overly permissive.
- Use NSG Flow Logs: Enable NSG flow logs to monitor traffic and troubleshoot connectivity issues.
Example using Service Tags:
Allow inbound traffic from Azure Load Balancer
Direction: Inbound
Priority: 110
Protocol: TCP
Source: AzureLoadBalancer
Source Port: *
Destination: Any
Destination Port: 80
Action: Allow
Description: Allows health probes from the Azure Load Balancer.