Azure Network Security Groups

Network Security Groups (NSGs) are a fundamental component of Azure networking. They enable you to filter network traffic to and from Azure resources in an Azure virtual network, subscription, resource group, or virtual network subnet. NSGs contain a list of security rules that allow or deny network traffic based on criteria such as source and destination IP address, port, and protocol.

What are Network Security Groups?

A Network Security Group is a logical collection of security rules that you can associate with one or more network interfaces (NICs) or subnets. These rules are evaluated based on priority. When traffic is matched to a rule, that rule's action (Allow or Deny) is applied, and processing stops.

Components of an NSG

• Security Rules: The core of an NSG. Each rule has a priority, name, protocol, source, destination, and action (Allow/Deny).
• Priority: A number between 100 and 4096. Lower numbers have higher priority.
• Direction: Rules can be inbound or outbound.
• Source/Destination: Can be an IP address, CIDR block, service tag, or application security group.
• Port: The port number or range the rule applies to.
• Protocol: TCP, UDP, ICMP, or Any.
• Action: Allow or Deny.

How NSGs Work

NSGs are processed in the following order:

1. Default Rules: Azure creates a set of default inbound and outbound rules with high priorities (low numbers) that cannot be deleted but can be overridden.
2. User-Defined Rules: Rules you create, evaluated by priority number.
3. Deny All Inbound/Outbound: A final implicit rule with the lowest priority (highest number, 4096) that denies all traffic not explicitly allowed.

When traffic enters or leaves a resource associated with an NSG, Azure evaluates the rules based on their priority. The first rule that matches the traffic's characteristics determines whether the traffic is allowed or denied. If no rule matches, the implicit Deny All rule is applied.

Associations

NSGs can be associated with:

• Network Interfaces (NICs): Filters traffic for a specific VM or resource connected via a NIC.
• Subnets: Filters traffic for all resources within a specific subnet. If an NSG is associated with both a NIC and its subnet, the rules are evaluated separately for inbound and outbound traffic. For inbound traffic, subnet rules are evaluated first, followed by NIC rules. For outbound traffic, NIC rules are evaluated first, followed by subnet rules.

Creating and Managing NSGs

You can create and manage NSGs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Example: Azure CLI Command to Create an NSG

az network nsg create \
  --resource-group MyResourceGroup \
  --name MyNetworkSecurityGroup
                

Example: Azure CLI Command to Add an Inbound Rule

az network nsg rule create \
  --resource-group MyResourceGroup \
  --nsg-name MyNetworkSecurityGroup \
  --name AllowHTTP \
  --priority 100 \
  --protocol Tcp \
  --destination-port-ranges 80 \
  --direction Inbound \
  --access Allow \
  --source-address-prefixes '*'
                

Best Practices for NSGs

• Use Service Tags: Leverage built-in service tags like Internet, VirtualNetwork, and AzureLoadBalancer to define traffic sources and destinations.
• Use Application Security Groups (ASGs): Group VMs with similar firewall roles into ASGs and use ASGs in NSG rules for more granular control.
• Prioritize Rules Logically: Organize your rules by priority to ensure clarity and prevent unexpected behavior.
• Audit Regularly: Periodically review your NSG rules to ensure they are still relevant and effective.
• Deny Unused Ports: Explicitly deny traffic to ports that are not needed.
• Log NSG Flow: Enable NSG flow logs to analyze traffic patterns and troubleshoot connectivity issues.