On this page

What are Network Security Groups (NSGs)?

A Network Security Group (NSG) is a stateful packet filtering firewall that you can associate with multiple virtual machine network interfaces (NICs) or subnets within your Azure Virtual Network.

NSGs contain a list of security rules that allow or deny inbound network traffic to an Azure resource or outbound network traffic from it. The filtering is based on L4 information such as source and destination IP address, source and destination port, and protocol.

Key features of NSGs:

  • Stateful filtering: If you allow inbound traffic on a port, return outbound traffic is automatically allowed. Similarly, if you deny inbound traffic, return outbound traffic is automatically denied.
  • Priority-based rules: Rules are processed in order of priority.
  • Association: Can be associated with NICs, subnets, or both.

How NSGs Work

When traffic is processed by an NSG, the following logic is applied:

  1. NSG rules are evaluated based on their priority.
  2. The first rule that matches the traffic is applied, and processing stops.
  3. If no rules match, the traffic is denied by default.

NSGs can be associated with:

  • Network interfaces (NICs): This filters traffic for a specific VM.
  • Subnets: This filters traffic for all VMs within that subnet.

When an NSG is associated with both a subnet and a NIC, traffic is processed by both NSGs. The rules are evaluated in the following order:

  1. Inbound security rules from the subnet NSG.
  2. Inbound security rules from the NIC NSG.
  3. Outbound security rules from the NIC NSG.
  4. Outbound security rules from the subnet NSG.

Important Note

The order of processing is crucial. Ensure your rule priorities and associations are correctly configured to achieve the desired network security posture.

NSG Components

An NSG is composed of the following:

  • Security Rules: The core of an NSG, defining allow or deny actions for specific traffic.
  • Network Security Groups Associations: Linking an NSG to a subnet or NIC.
  • Service Tags: Predefined IP address groups that represent services like AzureStorage, WindowsUpdate, or Sql.

Security Rules

Each NSG contains a set of security rules that specify how to filter traffic.

Rule Priority

Rules are assigned a priority number from 1 to 4096. Lower numbers indicate higher priority. Azure processes rules in order of priority, starting with the lowest number.

  • 0-99: Reserved for default rules (AllowVnetInbound, AllowAzureLoadBalancerInbound, DenyAllInbound, AllowVnetOutbound, DenyAllOutbound).
  • 100-4094: Available for custom rules.
  • 4095: DenyAllInbound rule for explicit deny-all (though 4096 is the implicit default deny).

It's best practice to create custom rules starting from 100 and incrementing to avoid conflicts with future Azure additions.

Rule Type

Rules can be either:

  • Inbound: Controls traffic entering resources within your virtual network.
  • Outbound: Controls traffic leaving resources within your virtual network.

Rule Protocol

Specifies the network protocol the rule applies to:

  • Any: Applies to all protocols.
  • TCP: Transmission Control Protocol.
  • UDP: User Datagram Protocol.
  • ICMP: Internet Control Message Protocol.
  • Esp: Encapsulating Security Payload (for IPsec).

Source/Destination

Defines the origin or destination of the traffic:

  • IP Addresses/CIDR blocks: Specify individual IP addresses or ranges (e.g., 10.0.0.0/16).
  • Service Tags: Azure-defined groups of IP addresses (e.g., Internet, VirtualNetwork, AzureLoadBalancer).
  • Application Security Groups (ASGs): Group VMs with similar firewall policies.

Port Ranges

Specifies the destination port(s) for inbound traffic or source port(s) for outbound traffic.

  • You can specify individual ports (e.g., 80), ranges (e.g., 80-8080), or use the * wildcard for any port.

Action

Determines whether to allow or deny the traffic that matches the rule criteria:

  • Allow: Permits the traffic.
  • Deny: Blocks the traffic.

Example: Allow HTTP inbound traffic


{
  "name": "AllowHTTPInbound",
  "properties": {
    "priority": 100,
    "protocol": "Tcp",
    "access": "Allow",
    "direction": "Inbound",
    "sourceAddressPrefix": "*",
    "sourcePortRange": "*",
    "destinationAddressPrefix": "*",
    "destinationPortRange": "80"
  }
}

Associating NSGs

You can associate an NSG with:

  • Subnets: All VMs in the subnet inherit the NSG's rules. This is the recommended approach for consistent security.
  • Network Interfaces (NICs): Applies rules only to the specific VM connected to that NIC. This provides more granular control but can be complex to manage at scale.

When an NSG is associated with both, inbound traffic is processed by the subnet NSG first, then the NIC NSG. Outbound traffic is processed by the NIC NSG first, then the subnet NSG.

Next Steps

Now that you understand the fundamentals of Network Security Groups, explore these resources to implement them effectively: