Network Security Groups
Network Security Groups (NSGs) are a fundamental building block for network security in Azure. They allow you to filter network traffic to and from Azure resources in an Azure virtual network, subnets, and individual network interfaces.
An NSG is a collection of security rules that allow or deny network traffic to resources connected to Azure Virtual Network. NSGs can be associated with either the virtual machine's network interface (NIC) or the subnet that the virtual machine resides in, or both.
How Network Security Groups Work
Each security rule within an NSG specifies the following properties:
- Source/Destination: IP addresses, IP ranges, service tags, or application security groups.
- Protocol: TCP, UDP, ICMP, or Any.
- Source/Destination Port Ranges: Specific ports or ranges of ports.
- Action: Allow or Deny.
- Priority: A number from 100 to 4096. Lower numbers indicate higher priority. Rules are processed in order of priority.
- Name: A unique identifier for the rule.
- Description: An optional explanation of the rule.
Azure processes rules in an NSG in priority order. If traffic matches a rule, the action (Allow or Deny) is applied, and no further rules are evaluated. If no rules match, the traffic is denied by default.
Types of Security Rules
NSGs contain two types of security rules:
1. Security Rules
These are the custom rules you define to control traffic. They have the following characteristics:
| Property | Description |
|---|---|
| Priority | Unique number from 100 to 4096. Lower numbers have higher priority. |
| Source | IP Address, IP Range, Service Tag, or Application Security Group. |
| Source Port Range | * or a range of ports (e.g., 80-88). |
| Destination | IP Address, IP Range, Service Tag, or Application Security Group. |
| Destination Port Range | * or a range of ports (e.g., 443). |
| Protocol | Tcp, Udp, Icmp, Any. |
| Action | Allow, Deny. |
| Name | Unique name for the rule. |
| Description | Optional text description. |
2. Default Security Rules
When you create an NSG, several default rules are automatically created to provide basic security. You cannot delete these rules, but you can override them with custom rules with higher priority (lower number).
| Name | Priority | Source | Source Port Range | Destination | Destination Port Range | Protocol | Action |
|---|---|---|---|---|---|---|---|
AllowVnetInBound |
65001 | VirtualNetwork | * | VirtualNetwork | * | * | Allow |
AllowAzureLoadBalancerInBound |
65002 | AzureLoadBalancer | * | * | * | * | Allow |
DenyAllInBound |
65500 | * | * | * | * | * | Deny |
AllowVnetOutBound |
65001 | VirtualNetwork | * | * | * | * | Allow |
AllowInternetOutBound |
65002 | * | * | Internet | * | * | Allow |
DenyAllOutBound |
65500 | * | * | * | * | * | Deny |
The priority number is crucial. Rules are evaluated from the lowest priority number to the highest. The first rule that matches the traffic determines the action (Allow or Deny).
Associating NSGs
You can associate an NSG with:
- A Subnet: All network interfaces in the subnet inherit the NSG's rules.
- A Network Interface (NIC): Rules applied directly to the NIC override subnet-level rules if there's a conflict in action, but traffic is still filtered by both.
If an NSG is associated with both a subnet and a NIC, the effective security rules are the union of the rules from both NSGs. However, the processing order dictates which rule takes precedence.
NSG Flow Logs
NSG Flow Logs allow you to capture information about IP traffic flowing to and from network interfaces in your NSG. This data can be used for network monitoring, troubleshooting, and compliance.
For better organization and management, it's recommended to associate NSGs with subnets rather than individual NICs, unless there's a specific requirement for granular control.
Next Steps
Explore how to create and manage Network Security Groups in the Azure portal, PowerShell, or Azure CLI.
Create an NSG Configure NSG Rules