MSDN Documentation

Network Security Groups (NSGs)

Network Security Groups (NSGs) are a fundamental component of Azure's networking capabilities, providing network security at the IP traffic level. NSGs act as a virtual firewall, allowing or denying network traffic to Azure resources in your virtual network. You can associate NSGs with subnets, individual virtual machines, or both.

Introduction to NSGs

NSGs contain a list of security rules that allow or deny traffic based on source and destination IP address, port, and protocol. Rules are processed based on priority, with lower numbers indicating higher priority. The first rule that matches the traffic is applied, and processing stops.

NSG Components

• Inbound security rules: Rules that apply to traffic originating from outside your virtual network and destined for resources within your virtual network.
• Outbound security rules: Rules that apply to traffic originating from your resources within your virtual network and destined for resources outside your virtual network.
• Network Security Group Associations: NSGs can be associated with a subnet or a Network Interface (NIC). If an NSG is associated with both a subnet and a NIC, the rules from both are applied. Rules applied to a NIC take precedence over rules applied to the subnet.
• Priority: A number from 100 to 4096. Lower numbers indicate higher priority.
• Protocol: The protocol of the traffic to which the rule applies (e.g., TCP, UDP, ICMP, Any).
• Source/Destination: The IP addresses or ranges from which traffic originates or to which it is destined.
• Source/Destination Port Range: The port or range of ports used by the traffic.
• Name: A unique identifier for the rule.
• State: Whether the rule is enabled or disabled.

Understanding Security Rules

Each NSG consists of a set of security rules. When evaluating traffic, Azure checks the inbound rules for inbound traffic and outbound rules for outbound traffic. There are two types of security rules:

1. Default Rules: Azure automatically creates a set of default inbound and outbound rules when you create an NSG. These rules provide basic connectivity and deny all inbound traffic except for VNet inbound and AllowVNetOutbound.
2. Custom Rules: You can create custom rules to define specific security policies for your resources.

When Azure processes traffic against an NSG, it evaluates rules in order of priority. The first rule that matches the traffic is applied, and no further rules are evaluated.

Application Security Groups (ASGs)

Application Security Groups (ASGs) allow you to group virtual machines and apply network security rules to those groups. This simplifies the management of NSGs by allowing you to refer to ASGs instead of individual IP addresses, making your security policies more manageable and scalable.

For example, you can create an ASG for your web servers and another for your database servers. Then, you can create a security rule that allows inbound TCP traffic on port 443 from the internet to the "WebServers" ASG, and another rule that denies inbound traffic to the "DatabaseServers" ASG from any source except the "WebServers" ASG.

Best Practices

• Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
• Use ASGs: Group similar workloads into ASGs to simplify rule management.
• Prioritize Rules: Use meaningful priority numbers and keep them organized.
• Deny All by Default: Leverage the default deny rules to secure your network.
• Document Your Rules: Clearly name and describe your custom rules for better understanding and auditing.
• Regularly Review NSGs: Periodically review your NSGs to ensure they align with your security posture.

Tutorials and Examples

Explore the following tutorials to learn how to implement NSGs effectively:

• Create, change, or delete a network security group
• Associate or disassociate a network security group from a subnet or NIC
• Filter network traffic to and from Azure resources in a virtual network with a network security group
• Create application security groups

// Example of an inbound security rule configuration
{
    "properties": {
        "priority": 300,
        "access": "Allow",
        "direction": "Inbound",
        "protocol": "Tcp",
        "sourceAddressPrefix": "*",
        "sourcePortRange": "*",
        "destinationAddressPrefix": "10.0.0.4",
        "destinationPortRange": "80",
        "name": "AllowHTTPInbound"
    }
}