Network Security Groups (NSGs) Overview
Network Security Groups (NSGs) act as a virtual firewall for your virtual machines and other Azure resources. They enable you to define security rules that allow or deny network traffic to and from resources in an Azure virtual network.
What are Network Security Groups?
An NSG contains a list of security rules that, when evaluated, allow or deny traffic based on attributes such as source and destination IP address, source and destination port, and protocol. NSGs can be associated with network interfaces (NICs) of virtual machines or with subnets within a virtual network.
Key Components of an NSG:
- Security Rules: These are the core of an NSG. Each rule specifies:
- A priority (lower numbers are processed first).
- Direction (Inbound or Outbound).
- Protocol (TCP, UDP, ICMP, Any).
- Source and Destination (IP address ranges, service tags, application security groups).
- Source and Destination Port Ranges.
- Action (Allow or Deny).
- Default Rules: Every NSG comes with a set of default rules that are applied before any custom rules. These rules control basic network connectivity.
- Association: An NSG can be associated with one or more network interfaces (NICs) or subnets. Applying an NSG to a subnet affects all resources within that subnet. Applying it to a NIC affects only that specific virtual machine.
How NSGs Work
When network traffic is processed, the following occurs:
- Traffic is evaluated against the rules in the NSG associated with the NIC, if any.
- If no NSG is associated with the NIC, traffic is evaluated against the rules in the NSG associated with the subnet.
- Rules are evaluated based on their priority. The first rule that matches the traffic dictates the action (Allow or Deny).
- If no rule matches, the traffic is denied by default (for inbound) or allowed by default (for outbound).
Note: When an NSG is associated with both a subnet and a NIC, both NSGs are evaluated. Inbound traffic is first processed by the subnet NSG, then by the NIC NSG. Outbound traffic is first processed by the NIC NSG, then by the subnet NSG.
Benefits of Using NSGs
- Granular Control: Define fine-grained access control for your Azure resources.
- Layered Security: Apply security policies at both the subnet and individual resource levels.
- Simplified Management: Centralize network security policies for your virtual networks.
- Cost-Effective: NSGs are a built-in Azure feature with no additional cost.
Common Use Cases
- Restricting inbound access to web servers only on port 443.
- Allowing outbound access for virtual machines to specific cloud services using service tags.
- Denying all inbound traffic by default and then explicitly allowing only necessary ports.
- Segmenting network traffic between different tiers of an application (e.g., web, application, database).
Understanding and effectively configuring Network Security Groups is crucial for maintaining a secure and well-controlled Azure environment.