Azure Network Security Groups (NSGs) are a fundamental component of network security in Microsoft Azure. They act as a virtual firewall for your network resources, allowing you to control inbound and outbound traffic at the network interface (NIC) or subnet level.
What are Network Security Groups?
An NSG contains a list of security rules that allow or deny network traffic to resources connected to an Azure Virtual Network (VNet). NSGs can be associated with one or more subnets, or with individual network interfaces (NICs) of virtual machines.
Key Components of an NSG:
- Security Rules: These are the core of an NSG. Each rule defines:
- Priority: A number that dictates the order in which rules are evaluated. Lower numbers have higher priority.
- Source/Destination: Specifies whether the rule applies to source or destination IP addresses, IP ranges, service tags, or application security groups.
- Port: The protocol port(s) the rule applies to.
- Protocol: The network protocol (e.g., TCP, UDP, ICMP, Any).
- Action: Whether to Allow or Deny the traffic.
- Network Security Groups (NSGs): The container for security rules. You can associate an NSG with a subnet or a NIC.
- Service Tags: Represent a group of IP address prefixes from a given Azure service. For example,
Storage represents Azure Storage IP addresses.
- Application Security Groups (ASGs): Allow you to group virtual machines and apply network security rules based on these groups, simplifying management.
How NSGs Work:
When traffic is sent to or from an Azure resource, the NSG associated with it is evaluated. Rules are processed in order of priority. The first rule that matches the traffic determines whether the traffic is allowed or denied.
Important Note: If no NSG is associated with a resource, all traffic is allowed by default. However, Azure's default security rules within an NSG allow all inbound and outbound traffic. You must explicitly configure rules to restrict traffic.
Default Security Rules:
Every NSG includes a set of default rules that cannot be deleted but can be overridden by rules with higher priority (lower number):
- AllowVNetInBound: Allows all traffic within the virtual network.
- AllowAzureLoadBalancerInBound: Allows Azure load balancer health probes to reach your instances.
- DenyAllInBound: Denies all inbound traffic except for the preceding rules.
- AllowVnetOutBound: Allows all traffic to destinations within the virtual network.
- AllowInternetOutBound: Allows all outbound traffic to the internet.
- DenyAllOutBound: Denies all outbound traffic except for the preceding rules.
Associating NSGs:
- Subnet Association: Applying an NSG to a subnet affects all NICs and resources within that subnet. This is the most common and recommended approach for consistent security policies.
- NIC Association: Applying an NSG directly to a NIC affects only that specific network interface. This is useful for specific scenarios requiring granular control over a single VM.
If both a subnet and a NIC have NSGs associated, both NSGs are evaluated. The order of evaluation is NIC NSG first, then subnet NSG.
Benefits of Using NSGs:
- Granular Control: Define precise rules for inbound and outbound traffic.
- Network Segmentation: Isolate workloads by applying different security policies to subnets.
- Cost-Effective Security: Integrated into Azure with no additional infrastructure costs.
- Simplified Management: Especially when using Service Tags and Application Security Groups.
Use Cases:
- Restricting inbound access to web servers only on port 80 and 443.
- Denying all outbound traffic except for essential services.
- Allowing traffic only between specific application tiers (e.g., web to database).
- Securing access to sensitive resources by limiting source IP addresses.
Understanding and effectively configuring Network Security Groups is crucial for building secure and robust applications on Azure. Refer to the following resources for more detailed information and configuration guides.