Network Security Group (NSG) Rules Overview
Network Security Groups (NSGs) are a fundamental component of Azure's networking security. They allow you to filter network traffic to and from Azure resources in an Azure virtual network (VNet). NSGs contain a list of security rules that allow or deny network traffic. These rules are evaluated based on the priority number. The lower the priority number, the higher the priority of the rule.
Understanding NSG Rule Components
Each NSG rule has several key components:
| Component | Description |
|---|---|
| Name | A unique name for the rule. |
| Priority | An integer between 100 and 4096, inclusive. Lower numbers have higher priority. |
| Source | Specifies the source of traffic. Can be an IP address, CIDR block, service tag, or an application security group (ASG). |
| Source port ranges | The port or port ranges from which traffic originates. * indicates all ports. |
| Destination | Specifies the destination of traffic. Similar options to 'Source'. |
| Destination port ranges | The port or port ranges to which traffic is directed. * indicates all ports. |
| Protocol | The protocol to which the rule applies (e.g., TCP, UDP, ICMP, Any). |
| Direction | Inbound or Outbound. |
| Action | Allow or Deny. |
| Description | An optional text description for the rule. |
Rule Processing Order
When traffic enters or leaves a network interface or subnet, Azure evaluates the NSG rules associated with it. The rules are processed in the following order:
- Default Rules: Every NSG has a set of default rules with priorities from 65500 to 65527. These rules cannot be deleted but can be overridden by custom rules with lower priority numbers.
- Custom Rules: Rules that you create. They are processed in order of their priority number, from lowest to highest.
The first rule that matches the traffic's characteristics determines whether the traffic is allowed or denied. If no rule matches, the traffic is denied by default (except for outbound traffic to the internet, which is allowed by default).
Important Consideration
When using Deny rules, always ensure you have corresponding Allow rules for necessary traffic, especially for outbound connections. A common mistake is to block all outbound traffic without allowing specific ports for essential services.
Example NSG Rule
Consider the following rule:
Name: Allow-HTTPS-Inbound
Priority: 110
Source: Internet
Source port ranges: *
Destination: VirtualNetwork
Destination port ranges: 443
Protocol: TCP
Direction: Inbound
Action: Allow
Description: Allow inbound HTTPS traffic from the internet to web servers.
This rule allows inbound TCP traffic on port 443 (HTTPS) from any source (Internet) to any destination within the virtual network. Because its priority (110) is lower than the default rules, it's evaluated before them.
Service Tags and Application Security Groups
- Service Tags: Predefined groups of IP address ranges that represent a given Azure service. Examples include
Internet,AzureCloud, and specific service tags likeStorageorSql.WestUS. Using service tags simplifies rule management. - Application Security Groups (ASGs): Allow you to group virtual machines and virtual network interfaces. You can then use ASGs as the source or destination in NSG rules, making it easier to manage security policies for applications rather than individual VMs.
Pro Tip
Leverage Application Security Groups to manage security rules for your application tiers (e.g., web servers, application servers, database servers). This approach is more scalable and maintainable than managing rules based on individual VM IP addresses.
Best Practices for NSG Rules
- Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
- Use Descriptive Names: Make rule names clear about their purpose.
- Organize by Priority: Group related rules and leave gaps in priority numbers for future additions.
- Leverage Service Tags and ASGs: Simplify management and improve readability.
- Regularly Review Rules: Audit your NSG rules periodically to ensure they are still relevant and effective.
- Test Changes: Before implementing significant NSG changes in production, test them in a development or staging environment.
By understanding and effectively implementing NSG rules, you can significantly enhance the security posture of your Azure deployments.