Network Security Group Rules
Network Security Groups (NSGs) are a fundamental component of Azure's network security. They act as a virtual firewall for your Azure resources, allowing you to define inbound and outbound security rules that control network traffic at the subnet or network interface (NIC) level.
Understanding NSG Rules
Each NSG contains a list of security rules. These rules are evaluated based on a priority number. Lower numbers indicate higher priority. When traffic matches a rule, processing stops, and the action defined in that rule is applied.
Rule Components
An NSG rule is defined by the following parameters:
- Priority: An integer between 100 and 4096. Lower numbers have higher priority.
- Name: A unique name for the rule.
- Source: The origin of the traffic. This can be an IP address, CIDR block, service tag, or an application security group (ASG).
- Source port ranges: The port(s) from which traffic originates.
- Destination: The target of the traffic. Similar to the source, this can be an IP address, CIDR block, service tag, or ASG.
- Destination port ranges: The port(s) to which traffic is directed.
- Protocol: The network protocol (e.g., TCP, UDP, ICMP, Any).
- Direction: Whether the rule applies to inbound or outbound traffic.
- Action: The action to take for traffic that matches the rule (Allow or Deny).
Default Rules
Every NSG comes with a set of default rules that are created automatically. These rules cannot be deleted but can be overridden by custom rules with lower priority numbers.
| Priority | Name | Source | Source Port Ranges | Destination | Destination Port Ranges | Protocol | Direction | Action |
|---|---|---|---|---|---|---|---|---|
| 65500 | DenyAllInbound | * | * | * | * | * | Inbound | Deny |
| 65501 | AllowVNetInbound | VirtualNetwork | * | * | * | * | Inbound | Allow |
| 65502 | AllowAzureLoadBalancerInbound | AzureLoadBalancer | * | * | * | * | Inbound | Allow |
| 65503 | DenyAllOutbound | * | * | * | * | * | Outbound | Deny |
| 65504 | AllowVnetOutbound | VirtualNetwork | * | * | * | * | Outbound | Allow |
| 65505 | AllowInternetOutbound | Internet | * | * | * | * | Outbound | Allow |
Service Tags
Service tags represent a group of IP addresses from a given Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change. This simplifies rule management significantly.
Examples of service tags include:
InternetVirtualNetworkAzureLoadBalancerStorageSql.WestUS
Application Security Groups (ASGs)
Application Security Groups allow you to group virtual machines and manage network security based on the application's identity. You can use ASGs as either source or destination in your NSG rules, treating the VMs within the ASG as a single network security entity.
Rule Evaluation Order
- NSGs associated with a NIC are evaluated first, followed by NSGs associated with the subnet.
- For inbound traffic, the rules are processed in the order of lowest priority number to highest. The first matching rule determines the action (Allow or Deny).
- For outbound traffic, the rules are also processed in the order of lowest priority number to highest.
- If no explicit rule matches, the default rules are applied. For inbound traffic, this means
DenyAllInbound. For outbound traffic, this meansAllowInternetOutbound(if not denied by a custom rule).
Creating and Managing NSG Rules
You can create and manage NSG rules through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. Each method offers a graphical interface or command-line tools to define your security policies.
Example: Allowing SSH Access
To allow inbound SSH (TCP port 22) from a specific IP address range:
Name: AllowSSHFromTrusted
Priority: 300
Source: 203.0.113.0/24
Source port ranges: *
Destination: *
Destination port ranges: 22
Protocol: Tcp
Direction: Inbound
Action: Allow
For more detailed information, refer to the official Azure Network Security Groups documentation.