Configure Network Security Groups (NSGs) in Azure

This tutorial guides you through the process of configuring Network Security Groups (NSGs) in Azure to control network traffic to and from Azure resources in an Azure virtual network.

What are Network Security Groups?

A Network Security Group (NSG) is a logical grouping of network security rules that can be associated with one or more virtual network interfaces (NICs), subnets, or both. NSGs act as a basic firewall for controlling traffic flow to and from network resources in an Azure virtual network.

Key Concepts:

Security Rules: Define inbound and outbound traffic filtering.
Priority: Rules are processed in priority order. Lower numbers have higher priority.
Protocol: Specify TCP, UDP, ICMP, or Any.
Source/Destination: Define IP addresses, CIDR blocks, service tags, or application security groups.
Port Ranges: Specify specific ports or ranges.
Action: Allow or Deny the traffic.

Tutorial: Step-by-Step Configuration

Step 1: Create a Network Security Group

You can create an NSG using the Azure portal, Azure CLI, or Azure PowerShell. Here's how using the Azure portal:

Navigate to the Azure portal.
Search for "Network Security Groups" and select it.
Click "+ Create".
Fill in the required details: Subscription, Resource group, Name, and Region.
Click "Review + create" and then "Create".

Step 2: Configure Inbound Security Rules

By default, NSGs come with some pre-configured rules. You can add new rules to allow or deny specific inbound traffic.

Open your newly created NSG in the Azure portal.
Under "Settings", click "Inbound security rules".
Click "+ Add".
Configure the rule details:

Source: e.g., "Any", "IP Addresses" (e.g., 203.0.113.5/32), or "Service Tag" (e.g., "Internet").
Source port ranges: e.g., * or a specific port like 80.
Destination: e.g., "Any", "IP Addresses", or "Service Tag".
Destination port ranges: e.g., 80, 443, 3389.
Protocol: TCP, UDP, ICMP, Any.
Action: Allow or Deny.
Priority: Assign a unique priority (e.g., 100, 110, 120). Lower numbers are processed first.
Name: A descriptive name for the rule.
Description: Optional description.

Click "Add".

Example: Allow HTTP traffic from the internet:


Source: Any
Source port ranges: *
Destination: Any
Destination port ranges: 80
Protocol: TCP
Action: Allow
Priority: 100
Name: AllowHTTP

Step 3: Configure Outbound Security Rules

Similar to inbound rules, you can configure outbound rules to control traffic originating from your Azure resources.

In your NSG, click "Outbound security rules".
Click "+ Add".
Configure the rule details (similar to inbound rules but focusing on outbound traffic).
Click "Add".

Example: Deny outbound access to a specific IP address:


Source: Any
Source port ranges: *
Destination: IP Addresses
Destination address prefix: 192.168.1.100/32
Protocol: Any
Action: Deny
Priority: 400
Name: DenySpecificOutbound

Step 4: Associate the NSG with a Subnet or NIC

An NSG only takes effect when it's associated with a network interface (NIC) or a subnet. You can associate an NSG with both, and the rules are evaluated at both levels.

To associate with a Subnet:

Navigate to the Virtual Network containing the subnet.
Select the subnet.
Under "Network security group", choose your NSG.
Click "Save".

To associate with a NIC:

Navigate to the Virtual Machine's Network Interface.
Under "Settings", click "Network security group".
Choose your NSG.
Click "Save".

Best Practices

Use specific IP addresses or service tags instead of "Any" whenever possible for better security.
Apply the principle of least privilege: only allow necessary ports and protocols.
Organize rules logically with clear naming conventions and descriptions.
Use NSGs at the subnet level for broad control and at the NIC level for specific exceptions.
Leverage Azure Security Center for monitoring and recommendations.

By following these steps and best practices, you can effectively manage network security for your Azure resources using Network Security Groups.

Configure NSGs in Azure Portal