Azure Network Security Group (NSG) Rules

This document provides a comprehensive guide to understanding and configuring Network Security Group (NSG) rules in Azure. NSGs are a fundamental component for network security in Azure, allowing you to filter network traffic to and from Azure resources in an Azure virtual network.

What is a Network Security Group?

A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Network. NSGs can be associated with Network Interfaces (NICs) or subnets, or both. When an NSG is associated with both, the rules applied are for the NIC. If only associated with a subnet, the rules apply to all resources in that subnet.

Key Concepts

• Rules: Each NSG contains multiple security rules, each with a priority, name, protocol, source, destination, and allow/deny action.
• Priority: Rules are processed in order of priority, starting with the lowest numbered priority.
• Direction: Rules can be inbound (traffic entering a resource) or outbound (traffic leaving a resource).
• Protocol: Specifies the network protocol (e.g., TCP, UDP, ICMP, Any).
• Source/Destination: Can be IP addresses, IP ranges, service tags (e.g., VirtualNetwork, Internet), or application security groups (ASGs).
• Port Ranges: Specifies the ports for traffic.
• Action: Allows or denies the traffic.
• Stateful: NSGs are stateful. If you allow inbound traffic on a port, the return traffic is automatically allowed, and vice versa for denied traffic.

Types of NSG Rules

NSGs have two types of rules:

Default Security Rules:

Every NSG has a set of default rules that cannot be deleted. These rules provide basic network connectivity and are applied before custom rules.

Custom Security Rules:

You can create custom rules to define your specific security requirements. Custom rules are processed after the default rules.

Default Rule Examples

Creating and Managing NSG Rules

You can manage NSG rules using the Azure portal, Azure CLI, Azure PowerShell, or REST API.

Using the Azure Portal

1. Navigate to your Network Security Group resource in the Azure portal.
2. Under "Settings," select "Inbound security rules" or "Outbound security rules."
3. Click "Add" to create a new rule.
4. Configure the rule's priority, name, source, destination, protocol, ports, and action.
5. Click "Add" to save the rule.

Example: Allowing SSH access

To allow inbound SSH (TCP port 22) from a specific IP address range:

# Azure CLI Example (Conceptual)
az network nsg rule create \
  --resource-group MyResourceGroup \
  --nsg-name MyNSG \
  --name AllowSSH \
  --priority 300 \
  --protocol Tcp \
  --destination-port-ranges 22 \
  --access Allow \
  --direction Inbound \
  --source-address-prefixes '203.0.113.0/24'
            

Best Practices

• Use lowest priority for specific rules: Define your most specific rules with the lowest priority numbers.
• Use service tags: Leverage service tags like Internet, VirtualNetwork, and AzureCloud for easier management.
• Group resources with ASGs: For complex environments, use Application Security Groups (ASGs) to group VMs and apply NSG rules to the group.
• Regularly audit rules: Review your NSG rules periodically to ensure they align with your security policies.
• Deny by default: Implement a principle of least privilege by denying all traffic by default and only allowing what is explicitly required.

Next Steps

Learn more about Network Security Groups and related Azure networking features:

• Azure Virtual Networks Overview
• Azure Firewall Basics
• Azure Load Balancer