Network Security Groups (NSGs)
Network Security Groups (NSGs) are a fundamental component of Azure's network security infrastructure. They allow you to filter network traffic to and from Azure resources in an Azure virtual network (VNet), subscription, resource group, or individual resource.
What are NSGs?
An NSG acts as a virtual firewall for your network resources. It contains a list of security rules that allow or deny network traffic based on criteria such as:
- Source IP address or range
- Source port or range
- Destination IP address or range
- Destination port or range
- Protocol (TCP, UDP, ICMP, Any)
- Action (Allow, Deny)
Key Components of an NSG
- Security Rules: These are the core of an NSG. Each rule has a priority, name, protocol, source, destination, and specifies whether to Allow or Deny the traffic.
- Priority: Rules are processed in order of priority, from lowest number to highest number. A priority of 100 is processed before a priority of 200.
- Direction: Rules can be applied to inbound or outbound traffic.
- Association: NSGs can be associated with a Network Interface (NIC) or a Subnet. When associated with a subnet, the rules apply to all resources within that subnet. If an NSG is associated with both a NIC and its subnet, both sets of rules are applied.
Default Security Rules
When you create an NSG, it comes with a set of default rules that cannot be deleted, only modified. These are:
- AllowVNetInBound: Allows all traffic within the Azure virtual network.
- AllowAzureLoadBalancerInBound: Allows Azure load balancer health probes to reach all VMs.
- DenyAllInbound: Blocks all inbound traffic except for the preceding rules.
- AllowVnetOutBound: Allows all outbound traffic within the Azure virtual network.
- DenyAllOutbound: Blocks all outbound traffic except for the preceding rules.
Creating and Managing NSGs
Using the Azure Portal
You can create and manage NSGs through the Azure portal:
- Navigate to the Azure portal.
- Search for "Network Security Groups" and select it.
- Click "+ Create" to create a new NSG.
- Fill in the required details (Subscription, Resource group, Name, Region).
- Once created, you can configure inbound and outbound security rules.
Using Azure CLI
Here's an example of how to create an NSG and add a rule using the Azure CLI:
# Create a new NSG
az network nsg create --resource-group myResourceGroup --name myNsg --location eastus
# Add an inbound security rule to allow SSH traffic (port 22)
az network nsg rule create --resource-group myResourceGroup --nsg-name myNsg --name AllowSSH --priority 300 --protocol Tcp --dest-port-range 22 --access Allow --direction Inbound
# Associate NSG with a subnet
az network vnet subnet update --resource-group myResourceGroup --vnet-name myVnet --name mySubnet --network-security-group myNsg
Best Practices
- Least Privilege: Apply the principle of least privilege by only allowing the necessary traffic.
- Use Subnet Association: Associate NSGs with subnets for broader control.
- Meaningful Names: Use descriptive names for your NSG rules.
- Regular Review: Periodically review your NSG rules to ensure they are still relevant and effective.
- Service Tags: Utilize service tags (e.g.,
VirtualNetwork,AzureLoadBalancer,Internet) to simplify rule management.
Important: NSGs do not filter traffic between subnets by default. For inter-subnet traffic filtering, consider Azure Firewall or User Defined Routes (UDRs) in conjunction with NSGs.
Pro Tip: For more granular control and centralized management of network security across your Azure environment, explore Azure Firewall.