Network Security Groups (NSGs)
Network Security Groups (NSGs) are a fundamental component of Azure's networking security. They act as a virtual firewall for your Azure resources to help filter network traffic. NSGs contain a list of security rules that allow or deny network traffic based on source and destination IP address, port, and protocol.
NSGs can be associated with Network Interfaces (NICs) or Subnets. When associated with a NIC, the rules apply only to the specific VM or resource connected to that NIC. When associated with a subnet, the rules apply to all resources within that subnet.
Key Concepts:
- Security Rules: The core of an NSG, defining inbound and outbound traffic filtering.
- Priority: Rules are evaluated in order of their priority (lower numbers are processed first).
- Stateful Filtering: NSGs are stateful. If you allow inbound traffic, the corresponding outbound traffic is automatically allowed.
- Default Rules: NSGs come with a set of default rules that cannot be deleted but can be overridden by custom rules.
- Association: NSGs can be associated with NICs or Subnets.
Key Features and Capabilities
- Granular Control: Define precise rules for inbound and outbound traffic.
- Layer 4 Filtering: Filter traffic based on protocol (TCP, UDP, ICMP, Any) and port ranges.
- IP Address Filtering: Specify source and destination IP addresses or CIDR blocks.
- Application Security Groups (ASGs): Group VMs into reusable network security policies, simplifying rule creation for complex environments.
- Logging and Diagnostics: Monitor traffic flows and security events for auditing and troubleshooting.
- Service Tags: Use predefined tags (e.g.,
Internet,VirtualNetwork,AzureLoadBalancer) to simplify rule creation and management.
How NSGs Work
When network traffic arrives at or leaves a resource in Azure, the NSG associated with its NIC or subnet is checked. The NSG evaluates its security rules in order of priority.
Rule Processing Order:
- The NSG checks its default rules first (highest priority).
- Then, it checks your custom rules in order of priority (lower number means higher priority).
- If a rule matches the traffic, the corresponding Allow or Deny action is applied.
- If no rule matches, the default rule at the end of the list (often a 'Deny All') is applied.
Inbound vs. Outbound Security Rules:
- Inbound Security Rules: Control traffic entering your resources.
- Outbound Security Rules: Control traffic leaving your resources.
Common NSG Rule Examples
Allow Inbound SSH Traffic
This rule allows SSH traffic (TCP port 22) from any source to your virtual machines.
Rule Details:
- Priority: 100
- Source: Any
- Source Port Ranges: *
- Destination: Any
- Destination Port Ranges: 22
- Protocol: TCP
- Action: Allow
- Name: AllowSSH
Description: Allows inbound SSH connections to VMs.
Allow Outbound HTTP/HTTPS Traffic
This rule allows your VMs to access the internet for web browsing and updates.
Rule Details:
- Priority: 200
- Source: Any
- Source Port Ranges: *
- Destination: Internet
- Destination Port Ranges: 80, 443
- Protocol: TCP
- Action: Allow
- Name: AllowWebOutbound
Description: Permits outbound HTTP and HTTPS traffic.
Deny Inbound RDP Traffic
This rule explicitly denies RDP traffic (TCP port 3389) from any source, overriding any other 'Allow' rule that might exist for this port.
Rule Details:
- Priority: 90
- Source: Any
- Source Port Ranges: *
- Destination: Any
- Destination Port Ranges: 3389
- Protocol: TCP
- Action: Deny
- Name: DenyRDP
Description: Explicitly blocks inbound RDP connections.
Best Practices for NSGs
- Use Default Rules Wisely: Understand the default rules and how they affect your traffic.
- Prioritize Rules Carefully: Use lower numbers for more specific or critical rules.
- Leverage Service Tags: Use service tags (e.g.,
AzureLoadBalancer,Storage) instead of IP addresses where possible. - Utilize Application Security Groups (ASGs): Group resources with similar security requirements to simplify rule management.
- Apply NSGs at the Subnet Level: For consistent security across all resources in a subnet, apply NSGs to the subnet.
- Limit Rule Complexity: Avoid overly broad rules. Be as specific as your security requirements allow.
- Regularly Review NSG Rules: Periodically audit your NSG rules to ensure they align with current security policies.
- Enable NSG Flow Logs: Use flow logs to monitor traffic and troubleshoot connectivity issues.