Network Security Groups Overview

Network Security Groups (NSGs) are a fundamental component of Azure networking, providing network security at the IP traffic, TCP, or UDP port level. They enable you to filter traffic to and from Azure resources in an Azure virtual network, providing a stateful firewall as a service that can be associated with Virtual Machines, Virtual Machine Scale Sets, and subnets.

Key Concepts

Security Rules

Each NSG contains security rules that define what traffic is allowed or denied. These rules are processed in order of priority. The rules have the following properties:

• Priority: A number between 100 and 4096. Lower numbers have higher priority.
• Source: IP address, CIDR block, service tag, or application security group.
• Source Port Range: The source port or port range.
• Destination: IP address, CIDR block, service tag, or application security group.
• Destination Port Range: The destination port or port range.
• Protocol: TCP, UDP, ICMP, or Any.
• Action: Allow or Deny.
• Name: A unique name for the rule.
• Direction: Inbound or Outbound.

Default Rules

When you create an NSG, Azure automatically creates the following default rules:

• AllowVNetInBound: Allows traffic within the virtual network.
• AllowAzureLoadBalancerInBound: Allows Azure load balancer probes to reach your instances.
• DenyAllInBound: Denies all inbound traffic except for the preceding rules.
• AllowVnetOutBound: Allows traffic to the internet.
• DenyAllOutBound: Denies all outbound traffic except for the preceding rules.

You can create custom rules with priorities lower than 65500 to override these default rules. Rules with priorities 65500 and 65501 are the default rules and cannot be deleted or modified.

Stateful Firewall

NSGs are stateful. If you create an inbound rule to allow traffic, the return traffic is automatically allowed, and vice versa for outbound rules. You do not need to create outbound rules to allow return traffic for established inbound connections.

Association

An NSG can be associated with:

• Network Interface (NIC): This applies the NSG rules to a specific virtual machine.
• Subnet: This applies the NSG rules to all network interfaces within that subnet.

If an NSG is associated with both a subnet and a NIC, both sets of rules are evaluated. However, the subnet rules are evaluated first, then the NIC rules.

Benefits of Using NSGs

• Granular Traffic Control: Precisely define allowed and denied traffic based on IP addresses, ports, and protocols.
• Layered Security: Apply security policies at both the subnet and individual VM levels.
• Simplified Management: Centralized management of network security policies in Azure.
• Cost-Effective: A built-in Azure service, reducing the need for third-party firewall appliances for basic security.
• Compliance: Helps meet regulatory compliance requirements by enforcing strict network access controls.

Common Use Cases

• Allowing inbound traffic to a web server on port 80 and 443.
• Denying all inbound traffic to a database server except from application servers.
• Restricting outbound access to specific IP addresses or ports for security reasons.
• Implementing segmentation within your virtual network by applying different NSGs to different subnets.

Application Security Groups (ASGs)

Application Security Groups (ASGs) allow you to group virtual machines and treat them as a single network interface. You can then use ASGs as source or destination in NSG security rules. This simplifies the creation of complex security policies by referencing logical groupings of servers (e.g., "WebServers", "DatabaseServers") instead of individual IP addresses.

Next Steps

Explore the following resources to learn more about configuring and managing Network Security Groups:

• Create a Network Security Group
• Manage Network Security Rules
• Application Security Groups