Network Security Groups (NSGs) Overview
Network Security Groups (NSGs) are a fundamental component of Azure networking, providing network security at the IP traffic level. They allow you to filter network traffic to and from Azure resources in an Azure virtual network, as well as on-premises resources. NSGs contain a list of security rules that allow or deny network traffic based on criteria such as source and destination IP address, source and destination port, and protocol.
Key Concepts
- Security Rules: Each NSG contains security rules that define inbound and outbound traffic filtering.
- Priority: Rules are processed in order of priority, from lowest number to highest.
- Protocol: Specifies the network protocol (e.g., TCP, UDP, ICMP, Any).
- Source/Destination: Defines the IP address range or service tag for traffic.
- Port Range: Specifies the ports for traffic.
- Action: Determines whether to Allow or Deny the traffic.
- Association: NSGs can be associated with Network Interfaces (NICs) or Subnets.
How They Work
When traffic flows to or from an Azure resource, the NSG associated with the resource's subnet or network interface processes the traffic. It evaluates the inbound and outbound security rules based on their priority. The first rule that matches the traffic determines whether it's allowed or denied. If no rule matches, the default rules are applied.
Note: Traffic is always evaluated for both inbound and outbound rules, regardless of whether the NSG is associated with a subnet or a network interface.
NSG Rules
NSGs support two types of rules:
Inbound Security Rules
These rules control traffic coming into your Azure resources. They consider:
- Source IP address or CIDR block
- Source port range
- Destination IP address or CIDR block
- Destination port range
- Protocol (TCP, UDP, ICMP, Any)
- Action (Allow/Deny)
- Priority (0-4096)
Outbound Security Rules
These rules control traffic going out from your Azure resources. They have the same parameters as inbound rules.
Each NSG comes with a set of default rules that are always present and cannot be deleted:
Default-Allow-VNet-Inbound: Allows all inbound traffic within the virtual network.Default-Allow-Global-VNet-Inbound: Allows inbound traffic from other virtual networks connected via VNet peering.Default-Allow-Internet-Inbound: Denies all inbound traffic from the internet.Default-Allow-Internet-Outbound: Allows all outbound traffic to the internet.Default-Deny-All-Inbound: Denies all other inbound traffic.Default-Deny-All-Outbound: Denies all other outbound traffic.
Tip: You can leverage Service Tags to specify source or destination IP addresses for common Azure services (e.g., AzureLoadBalancer, Storage, VirtualNetwork). This simplifies rule management and ensures you are always targeting the correct IP address ranges.
Creating and Managing NSGs
You can create and manage Network Security Groups using the Azure portal, Azure PowerShell, Azure CLI, or ARM templates.
Azure Portal
Navigate to "Network Security Groups" and click "Create". You can then define rules, associate NSGs with subnets or network interfaces, and apply them to your virtual machines.
Azure PowerShell
Use cmdlets like New-AzNetworkSecurityGroup, Add-AzNetworkSecurityRuleConfig, and Set-AzNetworkSecurityGroup to programmatically manage NSGs.
Example of creating a simple inbound rule:
$nsg = Get-AzNetworkSecurityGroup -Name "MyNsg" -ResourceGroupName "MyResourceGroup"
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AllowSSH" -Description "Allow SSH inbound" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '22'
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg