Azure Network Security Groups (NSGs) are a fundamental component for network security in Azure. They act as a virtual firewall for your Azure resources to control inbound and outbound network traffic. While powerful, misconfigurations can lead to connectivity issues or unintended access. This guide provides a comprehensive approach to troubleshooting common NSG-related problems.
Understanding how NSGs work is crucial. Each NSG contains a list of security rules that allow or deny inbound network traffic to an Azure resource or deny outbound traffic from it. Rules are processed based on priority, with lower numbers indicating higher priority. If traffic matches a rule, the corresponding allow or deny action is taken.
The most frequent issue is the inability for resources to communicate as expected. This can manifest as:
Sometimes, traffic that should be allowed is blocked, or traffic that should be blocked is allowed. This is often due to:
While less common, poorly optimized NSG rules or a very large number of rules could potentially impact network throughput. This is typically observed in high-traffic scenarios.
Follow these systematic steps to diagnose and resolve NSG issues:
Ensure the NSG is correctly associated with the resource you are troubleshooting. NSGs can be associated with:
The effective rules applied to a resource are a combination of rules from the associated subnet NSG and the NIC's NSG. Subnet NSG rules are evaluated first, followed by NIC NSG rules.
How to check: Navigate to the resource (e.g., Virtual Machine, Subnet) in the Azure portal and check its 'Network security group' settings.
Examine the inbound and outbound security rules within the NSG. Pay close attention to:
AzureLoadBalancer, Internet), and application security groups (ASGs).Allow or Deny.Tip: Start with the most restrictive rules and work your way up. A common mistake is having a broad deny rule that overrides a necessary allow rule.
Azure provides a powerful tool to see the combined set of effective security rules applied to a specific NIC. This consolidates rules from the NIC's NSG, the subnet's NSG, and Azure's default rules.
How to check: In the Azure portal, navigate to the Virtual Machine's 'Networking' section, select the NIC, and then choose 'Effective security rules'.
This view is invaluable for identifying conflicts or unexpected rules impacting traffic.
The Azure Network Watcher's 'IP Flow Verify' tool is essential. It tells you whether traffic is allowed or denied to or from a VM based on NSG rules for a specific protocol and port.
How to use: Navigate to Network Watcher -> IP Flow Verify. Select your VM, specify the direction (inbound/outbound), protocol, and source/destination IP and port. The tool will report the outcome and the rule that caused it.
Network Watcher offers several diagnostic tools:
These tools provide a higher-level view of network path issues.
NSG Flow Logs provide detailed information about traffic flow to and from your Azure resources. They record the source, destination, port, protocol, and whether the traffic was allowed or denied.
Steps:
Example Log Analytics query to find denied inbound traffic on port 80:
AzureNetworkAnalytics_CL
| where SubType_s == "Network جریان"
| where NSGRule_s contains "Deny"
| where DestinationPort_d == 80
| project TimeGenerated, Computer, NSGRule, SourceIp_s, DestinationIp_s, DestinationPort_d, Protocol_s, FlowStatus_s
NSGs are not the only factor influencing network traffic. Remember to check:
For complex environments:
AzureCloud, Storage) as source or destination in rules for simplified management of Azure service access.Troubleshooting Azure NSGs requires a methodical approach, combining Azure portal tools, diagnostic services, and log analysis. By systematically verifying associations, reviewing rules, and analyzing traffic flow, you can effectively identify and resolve network connectivity issues related to your NSGs. Always remember to consider the interplay of NSGs with other Azure networking components.