Azure Network Security Groups

Azure Network Security Groups (NSGs)

Azure Network Security Groups (NSGs) are a fundamental component for controlling network traffic to and from Azure resources within an Azure virtual network. They act as a distributed firewall at the network interface (NIC) or subnet level, allowing you to define granular inbound and outbound security rules.

What are NSGs?

An NSG contains a list of security rules that allow or deny network traffic. NSGs are associated with either network interfaces (NICs) of virtual machines or with subnets within a virtual network. When associated with a subnet, the rules apply to all resources within that subnet. NSGs are stateless, meaning they track the state of network traffic only to determine if a given packet should be allowed or denied. You need to define both inbound and outbound rules for a specific traffic flow.

Key Concepts

Security Rules: Each NSG contains a set of security rules. These rules are processed in priority order, with lower numbers indicating higher priority.
Priority: A number from 100 to 4096. Rules are evaluated in order of priority. Once a rule matches, the packet is allowed or denied, and processing stops.
Protocol: Specifies the protocol of the traffic (e.g., TCP, UDP, ICMP, Any).
Source/Destination: Can be an IP address, IP range, service tag, or application security group.
Source/Destination Port Range: Specifies the port(s) for the traffic.
Action: Allow or Deny.
Direction: Inbound or Outbound.

Default Rules

Every NSG comes with a set of default rules that are created automatically. These rules cannot be deleted but can be overridden by rules with higher priority (lower priority number).

AllowVNetInBound: Priority 65000, Allows all inbound traffic from within the virtual network.
AllowAzureLoadBalancerInBound: Priority 65001, Allows inbound traffic from the Azure Load Balancer.
DenyAllInBound: Priority 65500, Denies all inbound traffic.
AllowVnetOutBound: Priority 65000, Allows all outbound traffic to within the virtual network.
DenyAllOutBound: Priority 65500, Denies all outbound traffic.

How NSGs Work

When traffic is sent to or from an Azure resource, the NSG associated with the NIC (if any) is evaluated first. If no NSG is associated with the NIC, the NSG associated with the subnet is evaluated. If both are associated, the NIC-level NSG takes precedence.

Best Practice

It is generally recommended to associate NSGs with subnets rather than individual NICs for easier management and consistent security policies across your virtual network.

Creating and Managing NSGs

You can create and manage NSGs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Example: Allowing SSH traffic to a VM

To allow SSH (port 22) access to a virtual machine, you would create an inbound security rule:


{
    "name": "Allow-SSH-Inbound",
    "properties": {
        "priority": 300,
        "protocol": "Tcp",
        "access": "Allow",
        "direction": "Inbound",
        "sourceAddressPrefix": "*",
        "sourcePortRange": "*",
        "destinationAddressPrefix": "*",
        "destinationPortRange": "22"
    }
}

For production environments, it is highly recommended to restrict the sourceAddressPrefix to specific IP addresses or ranges to enhance security.

Service Tags and Application Security Groups

NSGs support service tags (e.g., Internet, AzureCloud) and application security groups (ASGs) for simplifying rule management. ASGs allow you to group VMs and apply network security rules to these groups, abstracting the IP addresses.

Conclusion

Azure Network Security Groups are a critical tool for implementing network security in your Azure environment. By defining appropriate inbound and outbound rules, you can effectively control traffic flow and protect your applications and data.