Set Up Network Security Groups

Set Up Network Security Groups (NSGs) in Azure

Network Security Groups (NSGs) act as a basic firewall for virtual machines and other network resources in Azure. They contain a list of security rules that allow or deny network traffic. This guide walks you through the process of setting up and configuring NSGs.

What are Network Security Groups?

An NSG is a collection of network security rules that are associated with network interfaces (NICs) of virtual machines or with subnets of a virtual network. Each rule specifies a source and destination, port range, and protocol, along with an allowance or denial action.

Prerequisites

An active Azure subscription.
An existing Azure virtual network with at least one subnet.
Azure CLI or Azure PowerShell installed and configured (optional, but recommended for scripting).

Steps to Set Up a Network Security Group

Create a Network Security Group

You can create an NSG using the Azure portal, Azure CLI, or Azure PowerShell.

Azure Portal:

Navigate to the Azure portal.
Search for "Network security groups" and select it.
Click "+ Create".
Select your Subscription and Resource group.
Provide a Name for your NSG (e.g., `myNsg`).
Choose the Region.
Click "Review + create", then "Create".

Azure CLI:


az network nsg create --resource-group  --name myNsg --location

Associate NSG with a Subnet or NIC

You can associate an NSG with a subnet or directly with a network interface (NIC). Associating with a subnet applies the rules to all resources within that subnet. Associating with a NIC applies rules only to that specific virtual machine.

Associate with a Subnet (Recommended):

This is the most common and efficient approach.

In the Azure portal, navigate to your created NSG.
Under "Settings", click "Subnets".
Click "+ Associate".
Select the Virtual network and the Subnet you want to associate the NSG with.
Click "OK".

Associate with a NIC:

If you need more granular control for a specific VM.

Navigate to the Network Interface of your virtual machine.
Under "Settings", click "Network security group".
Click "Edit".
Select your NSG from the dropdown.
Click "Save".

Configure Security Rules

NSGs come with default rules. You'll typically want to add custom rules to allow or deny specific traffic.

Default Rules:

AllowVnetInBound: Allows traffic from other resources within the same virtual network.
AllowAzureLoadBalancerInBound: Allows traffic from the Azure Load Balancer.
DenyAllInbound: Denies all inbound traffic that isn't explicitly allowed by other rules.
AllowVnetOutBound: Allows outbound traffic to other resources within the same virtual network.
DenyAllOutbound: Denies all outbound traffic that isn't explicitly allowed by other rules.

Adding a Custom Rule:

In your NSG's page in the Azure portal, click "Inbound security rules" or "Outbound security rules".
Click "+ Add".
Fill in the details for your rule:
- Source: Any, IP Addresses, Service Tag, Application Security Group.
- Source port ranges: * (for any) or specific ports.
- Destination: Any, IP Addresses, Service Tag, Application Security Group.
- Service: Common services like SSH, RDP, HTTP, HTTPS, or specify Custom.
- Destination port ranges: Ports required for your service.
- Protocol: TCP, UDP, ICMP, Any.
- Action: Allow or Deny.
- Priority: A number between 100 and 4096. Lower numbers have higher priority. Rules are processed in priority order.
- Name: A descriptive name for your rule (e.g., AllowSSH).
- Description: (Optional) More details about the rule.
Click "Add".

Important: Rule processing stops at the first rule that matches the traffic. Therefore, order (priority) is critical. It's best practice to have a DenyAllInbound rule with a high priority (e.g., 4095) as the last rule to catch any traffic not explicitly allowed.

Example: Allowing inbound SSH (TCP port 22)


{
  "name": "AllowSSH",
  "properties": {
    "priority": 100,
    "protocol": "Tcp",
    "access": "Allow",
    "direction": "Inbound",
    "sourceAddressPrefix": "*",
    "sourcePortRange": "*",
    "destinationAddressPrefix": "*",
    "destinationPortRange": "22"
  }
}

Testing and Verification

After configuring your NSG rules, test connectivity to ensure your rules are behaving as expected. You can use tools like telnet, ping (if ICMP is allowed), or attempt to connect to your services from different network locations.

Note: NSG rules take a moment to propagate. If you don't see immediate results, wait a few minutes and try again.

Best Practices

Least Privilege: Only allow the traffic that is absolutely necessary.
Service Tags: Use service tags (e.g., AzureLoadBalancer, Internet) for source and destination prefixes instead of specific IP addresses where possible. This makes your rules more resilient to IP address changes.
Application Security Groups (ASGs): Group virtual machines with similar network security requirements into ASGs. You can then create NSG rules that reference these ASGs, simplifying management for large deployments.
Regular Review: Periodically review your NSG rules to ensure they are still relevant and secure.
Associate with Subnets: Prefer subnet association over NIC association for easier management.

Conclusion

Network Security Groups are a fundamental component of Azure networking security. By understanding and effectively configuring them, you can significantly enhance the security posture of your Azure resources.