Network Security Group Overview - Azure Virtual Networks

Network Security Group (NSG) Overview

A Network Security Group (NSG) is a logical collection of security rules that run on network interfaces (NICs) or subnets. You can associate NSGs with virtual machines, virtual machine scale sets, and subnets within your Azure virtual network.

NSGs enable you to filter network traffic to and from Azure resources in an Azure virtual network. They act as a distributed firewall, allowing you to define inbound and outbound security rules to allow or deny traffic based on a variety of attributes.

Key Concept: NSGs operate at Layer 4 (Transport Layer) and can filter traffic based on source and destination IP addresses, ports, and protocols.

Core Components of an NSG

Security Rules: Each NSG contains multiple security rules. Rules are numbered, processed in priority order, and rules with lower numbers are processed first.
Priority: A unique number between 100 and 4096. Lower numbers indicate higher priority.
Direction: Rules can be applied to Inbound or Outbound traffic.
Action: For each rule, you can specify whether to Allow or Deny the traffic.
Protocol: You can specify TCP, UDP, ICMP, or Any protocol.
Source/Destination: You can specify IP addresses, CIDR blocks, service tags, or application security groups.
Source/Destination Port Range: You can specify a range of ports or individual ports.

Default Security Rules

When you create an NSG, it automatically includes a set of default rules:

AllowVNetInbound: Allows all traffic from within the virtual network.
AllowAzureLoadBalancerInbound: Allows inbound traffic from the Azure Load Balancer to reach your instances.
DenyAllInbound: Denies all inbound traffic from the internet.
AllowVnetOutbound: Allows all outbound traffic to within the virtual network.
DenyAllOutbound: Denies all outbound traffic to the internet.

You can modify or delete these rules, except for the explicit deny rules. However, it's generally recommended to keep the deny rules for security purposes and create your own allow rules.

How NSGs Work

An NSG can be associated with:

A Network Interface (NIC): This filters traffic to and from the specific Azure resource (e.g., a virtual machine) connected to the NIC.
A Subnet: This filters traffic to and from all resources within that subnet.

If an NSG is associated with both a NIC and its subnet, both NSGs are evaluated. The most restrictive rule takes precedence.

Best Practice: Associate NSGs with subnets for more manageable security policies. You can then override specific rules at the NIC level if needed.

Benefits of Using NSGs

Granular Traffic Control: Define precise rules for inbound and outbound traffic.
Enhanced Security: Reduce the attack surface by blocking unnecessary ports and protocols.
Network Segmentation: Isolate different tiers or workloads within your virtual network.
Compliance: Help meet regulatory compliance requirements by enforcing security policies.
Integration: Works seamlessly with other Azure networking services.

Example Scenario

Consider a three-tier application deployed in Azure:

Web Tier: Needs to accept inbound traffic on port 443 (HTTPS) from the internet.
Application Tier: Needs to accept inbound traffic from the Web Tier on specific application ports.
Database Tier: Should only accept inbound traffic from the Application Tier on the database port.

You can achieve this by applying NSGs to the subnets of each tier, defining rules that allow only the necessary traffic between them and restricting internet access to only the Web Tier.

Here's a conceptual example of an inbound rule to allow HTTPS traffic:


Source: Any
Source Port Ranges: *
Destination: Any
Destination Port Ranges: 443
Protocol: TCP
Action: Allow
Priority: 300
Name: AllowHTTPSInbound

Conclusion

Network Security Groups are a fundamental component of Azure networking for securing your cloud resources. By understanding and effectively utilizing NSGs, you can build a robust and secure network infrastructure in Azure.