What are Network Security Groups?
Azure Network Security Groups (NSGs) act as a virtual firewall for your Azure resources to protect them from unauthorized network access. They contain a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).
NSGs can be associated with Network Interfaces (NICs) of virtual machines or with subnets within a VNet. This provides granular control over traffic flow at both the resource and subnet level.
Key Features and Benefits
Stateful Packet Inspection
NSGs are stateful. If you allow inbound traffic on a port, the return outbound traffic is automatically allowed.
Rule Prioritization
Rules are processed based on priority. Lower numbers indicate higher priority. The first rule that matches the traffic is applied.
Predefined and Custom Rules
NSGs include common predefined rules (like RDP and SSH) and allow you to create custom rules based on IP addresses, ports, and protocols.
Association Flexibility
Associate NSGs with individual NICs for VM-level control or with subnets for broader scope management.
Security Groups Tagging
Use service tags and application security groups (ASGs) to simplify rule management and improve readability.
Logging and Auditing
Enable NSG flow logs to gain insights into network traffic patterns and for security auditing purposes.
How Network Security Groups Work
An NSG contains security rules that specify source and destination IP addresses, ports, and protocols. Each rule has an associated priority (a number from 100 to 4096) and an action (Allow or Deny).
When traffic is sent to or from an Azure resource, the NSG associated with its NIC or subnet is consulted. The NSG evaluates the rules based on their priority. The first rule that matches the traffic criteria determines whether the traffic is allowed or denied.
Example Rule Structure:
Source: IP Addresses | Source Port Ranges | Destination: IP Addresses | Destination Port Ranges | Protocol | Action | Priority
-------------------|--------------------|-----------------------------|-------------------------|----------|--------|----------
Any | * | 10.0.0.4/32 | 3389 | TCP | Allow | 300
192.168.1.0/24 | * | Any | 22 | TCP | Deny | 110
NSGs also have default rules that cannot be deleted but can be modified. These include rules for inbound and outbound traffic that are essential for basic Azure functionality.
Common Use Cases
- Securing Web Servers: Allow inbound traffic on port 80 (HTTP) and 443 (HTTPS) while blocking all other inbound ports.
- Protecting Database Servers: Restrict inbound access to database ports (e.g., 1433 for SQL Server) only from application servers.
- Isolating Network Segments: Create rules to control traffic flow between different subnets in your VNet.
- Blocking Malicious IPs: Implement deny rules for known malicious IP addresses or ranges.
- Controlling Outbound Access: Restrict outbound connections from VMs to only necessary services or IP addresses.
Best Practices for NSGs
- Least Privilege: Only allow the traffic that is absolutely necessary.
- Use Subnet NSGs for Broad Rules: Apply general security policies at the subnet level.
- Use NIC NSGs for Specific Rules: Use NIC-level NSGs for exceptions or more granular control for individual VMs.
- Leverage Service Tags: Use predefined service tags (e.g.,
AzureLoadBalancer,Internet) for simplified rule configuration. - Utilize Application Security Groups (ASGs): Group VMs with similar security requirements into ASGs to simplify rule management.
- Regularly Review NSG Rules: Periodically audit your NSG rules to ensure they are still relevant and effective.
- Enable NSG Flow Logs: Monitor traffic and analyze security events.
Get Started with Azure NSGs
Effectively managing your network security is crucial for cloud deployments. Azure Network Security Groups provide a robust and flexible solution to protect your valuable resources.
Learn More on Azure Docs Create Your First NSG