Introduction to Network Security Groups (NSGs)

Network Security Groups (NSGs) act as a distributed firewall for your virtual network, allowing you to filter network traffic to and from Azure resources in an Azure virtual network, subnet, and individual network interfaces. NSGs contain a list of security rules that allow or deny network traffic based on criteria such as source IP address, source port, destination IP address, destination port, and protocol.

This tutorial will guide you through the essential steps to create and configure an NSG for your Azure Virtual Network, ensuring secure network communication for your resources.

Prerequisites

  • An Azure account with an active subscription.
  • Basic understanding of Azure Virtual Networks and subnets.

Step-by-Step Guide

Step 1: Create a Virtual Network

Before you can configure NSGs, you need a virtual network to apply them to. If you already have a virtual network, you can skip this step.

Using Azure Portal:

  1. Navigate to the Azure portal and search for "Virtual networks".
  2. Click "+ Create".
  3. Fill in the required details: Subscription, Resource group, Name, Region.
  4. Under "IP Addresses", configure your IPv4 address space.
  5. Click "Review + create" and then "Create".

Using Azure CLI:

az network vnet create --resource-group MyResourceGroup --name MyVnet --address-prefix 10.0.0.0/16

Step 2: Create a Subnet

A subnet is a range of IP addresses within your virtual network. NSGs can be associated with subnets or individual network interfaces.

Using Azure Portal:

  1. Go to your created Virtual Network.
  2. Under "Settings", click "Subnets".
  3. Click "+ Subnet".
  4. Enter a Name, Address range (within the VNet's IP space), and optionally enable Delegation or NAT gateway.
  5. Click "Save".

Using Azure CLI:

az network vnet subnet create --resource-group MyResourceGroup --vnet-name MyVnet --name MySubnet --address-prefix 10.0.1.0/24

Step 3: Create a Network Security Group

Now, let's create the NSG itself.

Using Azure Portal:

  1. Search for "Network security groups" and click "+ Create".
  2. Select your Subscription and Resource group.
  3. Enter a Name for your NSG (e.g., MyNsg).
  4. Select the Region.
  5. Click "Review + create" and then "Create".

Using Azure CLI:

az network nsg create --resource-group MyResourceGroup --name MyNsg

Step 4: Associate NSG with Subnet

Linking the NSG to your subnet is crucial for traffic filtering.

Using Azure Portal:

  1. Navigate to your created Network Security Group.
  2. Under "Settings", click "Subnets".
  3. Click "+ Associate".
  4. Select your Virtual Network and the Subnet you want to associate it with.
  5. Click "OK".

Using Azure CLI:

First, get the subnet ID:

SUBNET_ID=$(az network vnet subnet show --resource-group MyResourceGroup --vnet-name MyVnet --name MySubnet --query id -o tsv)

Then, associate the NSG:

az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVnet --name MySubnet --network-security-group $SUBNET_ID

Note: You can also associate an NSG with an individual network interface (NIC).

Step 5: Configure Security Rules

NSGs come with default rules (AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound, AllowVnetOutBound, DenyAllOutBound). You'll typically add custom rules to control specific traffic.

Using Azure Portal:

  1. Navigate to your Network Security Group.
  2. Under "Settings", click "Inbound security rules" or "Outbound security rules".
  3. Click "+ Add".
  4. Configure the rule: Source, Source port ranges, Destination, Destination port ranges, Protocol, Action (Allow/Deny), Priority (lower numbers have higher priority), Name, and Description.
  5. Click "Add".

Example: Allow SSH (Port 22) from a specific IP address

Using Azure CLI:

az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name AllowSSH --protocol Tcp --priority 300 --destination-port-ranges 22 --access Allow --direction Inbound --source-address-prefixes "203.0.113.0/24"

Example: Deny all outbound traffic except to specific ports

This is typically achieved by ensuring the default `DenyAllOutBound` rule remains with a high priority (e.g., 65500) and adding specific `Allow` rules with lower priorities.

Step 6: Test Connectivity

After configuring your rules, it's essential to verify that traffic is flowing as expected and blocked where intended.

  1. Deploy virtual machines or other resources into the subnet associated with the NSG.
  2. Attempt to connect to these resources using protocols that should be allowed (e.g., SSH, RDP) from allowed IP addresses.
  3. Attempt to connect using protocols that should be denied or from denied IP addresses.
  4. Use Azure Network Watcher's Connection Troubleshoot feature for detailed analysis if connectivity issues arise.

Best Practices for NSGs

  • Least Privilege: Only allow the traffic that is strictly necessary.
  • Effective Security Rules: Use specific source/destination IP addresses and port ranges rather than broad ones.
  • Rule Priority: Understand that lower priority numbers are processed first. Use this to your advantage to override broader rules.
  • Descriptive Names: Name your rules clearly so their purpose is easily understood.
  • NSG Flow Logs: Enable NSG flow logs to monitor traffic patterns and troubleshoot issues.
  • Regular Review: Periodically review your NSG rules to ensure they are still relevant and secure.
  • Consider Subnet vs. NIC Association: Associate NSGs at the subnet level for broader security, and at the NIC level for exceptions or specific machine security.

Conclusion

Network Security Groups are a fundamental component of securing your Azure Virtual Networks. By following this guide, you've learned how to create, associate, and configure NSGs with effective security rules. Remember to always adhere to the principle of least privilege and regularly review your security configurations to maintain a robust security posture for your Azure resources.