Network Security Groups (NSGs)

Network Security Groups (NSGs) are a fundamental component of Azure networking, enabling you to filter network traffic to and from Azure resources in an Azure virtual network (VNet), subnets, and individual network interfaces (NICs).

What are Network Security Groups?

An NSG contains a list of security rules that allow or deny network traffic. These rules are evaluated based on the priority number. The lower the priority number, the higher the priority of the rule. NSGs can be associated with:

Subnets: Rules apply to all resources within the subnet.
Network Interfaces (NICs): Rules apply to the specific resource attached to the NIC.

If an NSG is associated with both a subnet and a NIC, the rules from both are applied. The order of evaluation is:

Effective security rules on the NIC
Effective security rules on the subnet

Security Rule Properties

Each security rule has the following properties:

Name: A unique name for the rule.
Priority: A number between 100 and 4096. Lower numbers have higher priority.
Source: The source of the traffic. Can be an IP address, CIDR block, Service Tag, or Application Security Group (ASG).
Source port ranges: The source port or ranges of ports.
Destination: The destination of the traffic. Can be an IP address, CIDR block, Service Tag, or ASG.
Destination port ranges: The destination port or ranges of ports.
Protocol: The protocol for the rule (Any, TCP, UDP, ICMP, or * for Any).
Direction: Whether the rule applies to inbound or outbound traffic.
Action: Whether to Allow or Deny the traffic.

Default Security Rules

When you create an NSG, it automatically includes the following default rules, which cannot be deleted but can be overridden by custom rules with higher priority:

AllowVNetInBound: Allows all inbound traffic within the virtual network. (Priority 65000)
AllowAzureLoadBalancerInBound: Allows inbound traffic from the Azure Load Balancer to health probes. (Priority 65001)
DenyAllInbound: Denies all inbound traffic except for the two rules above. (Priority 65500)
AllowVnetOutBound: Allows all outbound traffic within the virtual network. (Priority 65000)
DenyAllOutbound: Denies all outbound traffic except for the AllowVnetOutBound rule. (Priority 65500)

Creating and Managing NSGs

You can create and manage NSGs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Example: Allow HTTP traffic to a subnet

To allow inbound HTTP traffic (port 80) to a specific subnet, you would create a new inbound security rule:

Name: AllowHTTP
Priority: 100
Source: Any
Source port ranges: *
Destination: Any
Destination port ranges: 80
Protocol: TCP
Direction: Inbound
Action: Allow

Best Practices

Use Service Tags where possible to abstract IP addresses of Azure services.
Organize rules by using descriptive names.
Use Application Security Groups (ASGs) to group VMs and define network policies based on application workloads.
Regularly review your NSG rules to ensure they align with your security requirements.

Learn More: For detailed information on creating and configuring NSGs, please refer to the official Azure NSG documentation.

Azure Documentation