Network Security Groups (NSGs)

A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Network (VNet). NSGs can be associated with either virtual machines or subnets.

What is a Network Security Group?

NSGs act as a basic firewall for controlling traffic to and from Azure resources within your virtual network. Each NSG consists of:

  • Inbound Security Rules: Define how to filter inbound traffic to resources within the VNet.
  • Outbound Security Rules: Define how to filter outbound traffic from resources within the VNet.

How NSGs Work

When traffic flows to or from a resource associated with an NSG, the NSG inspects the traffic and applies the security rules. Rules are evaluated based on a priority number, with lower numbers indicating higher priority. The first rule that matches the traffic direction, IP address, protocol, and port is applied, and processing stops.

Key Concepts

  • Security Rules: Attributes include priority, name, source, destination, protocol, direction (Inbound/Outbound), and allow/deny action.
  • Priority: A number between 100 and 4096. Lower numbers have higher priority.
  • Associated Resources: NSGs can be associated with Network Interfaces (NICs) or Subnets. Association at the subnet level applies to all NICs in that subnet unless a higher priority rule exists at the NIC level.
  • Default Rules: NSGs come with a set of default rules that cannot be deleted but can be modified.

Creating and Managing NSGs

You can create and manage NSGs using the Azure portal, Azure PowerShell, Azure CLI, or Azure Resource Manager (ARM) templates.

Example: Allowing SSH traffic

Azure CLI Example

az network nsg rule create \
  --resource-group MyResourceGroup \
  --nsg-name MyNsg \
  --name AllowSSH \
  --priority 300 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes '*' \
  --source-port-ranges '*' \
  --destination-address-prefixes '*' \
  --destination-port-ranges 22

Best Practices

  • Use NSGs to segment network traffic between different tiers of your application.
  • Apply NSGs to subnets for broader network control.
  • Use specific IP addresses and port ranges whenever possible for better security.
  • Review and audit NSG rules regularly.

Further Reading

For detailed information, explore the official Microsoft documentation: