Azure Network Security Group Basics

Introduction

Network Security Groups (NSGs) are a fundamental component of Azure's security offering. They act as a virtual firewall, enabling you to define granular network traffic rules for your Azure resources. This guide will walk you through the basics of NSGs, their components, and how they help secure your cloud environment.

What are NSGs?

A Network Security Group is a logical grouping of security rules that permits or denies network traffic to Azure resources connected to an Azure Virtual Network (VNet). NSGs can be associated with subnets, individual network interfaces (NICs), or both. When an NSG is associated with both, the rules from both the subnet and the NIC are applied.

Key Components

An NSG contains a list of security rules that allow or deny traffic based on criteria such as source and destination IP address, port, and protocol.

Security Rules

Each NSG consists of a set of security rules. When traffic is evaluated by an NSG, it's matched against these rules in order of priority. There are two types of security rules:

Inbound security rules: Control traffic entering your resources within the VNet.
Outbound security rules: Control traffic leaving your resources within the VNet.

Each security rule has the following properties:

Priority

Rules are processed in order of their priority number, starting with the lowest number. A lower number indicates a higher priority. For example, a rule with priority 100 is processed before a rule with priority 200.

Protocol

Specifies the protocol that the rule applies to. Common options include:

TCP: Transmission Control Protocol
UDP: User Datagram Protocol
ICMP: Internet Control Message Protocol
Any: Applies to all protocols

Direction

Indicates whether the rule applies to inbound or outbound traffic:

Inbound: Traffic entering a resource.
Outbound: Traffic leaving a resource.

Source/Destination

Specifies the source or destination of the traffic. This can be:

An IP address or CIDR block (e.g., 10.0.0.0/24).
A service tag (e.g., AzureLoadBalancer, Internet).
An application security group (ASG).

Port

Specifies the port or range of ports for the traffic. This can be a single port (e.g., 80), a range (e.g., 80-88), or all ports (*).

Action

Determines whether to allow or deny the traffic that matches the rule:

Allow: Permits the traffic.
Deny: Blocks the traffic.

Important: Every NSG has two default rules that you cannot remove:

AllowVnetInbound (priority 65000): Allows all inbound traffic within the VNet.
AllowAzureLoadBalancerInbound (priority 65001): Allows traffic from the Azure Load Balancer to your VMs.
DenyAllInbound (priority 65500): Denies all inbound traffic except for what's explicitly allowed by higher-priority rules.
AllowVnetOutbound (priority 65000): Allows all outbound traffic within the VNet.
DenyAllOutbound (priority 65500): Denies all outbound traffic except for what's explicitly allowed by higher-priority rules.

These default rules ensure basic connectivity and are processed last.

Associating NSGs

You can associate an NSG with:

A subnet: Rules apply to all resources within that subnet.
A network interface (NIC): Rules apply to the specific VM or resource associated with that NIC.

If an NSG is associated with both a subnet and a NIC, both sets of rules are applied. Inbound traffic is evaluated first against the NIC's NSG, then against the subnet's NSG. Outbound traffic is evaluated first against the subnet's NSG, then against the NIC's NSG.

Example Scenario

Consider a web application deployed across multiple virtual machines within a subnet. You want to allow incoming HTTP (port 80) and HTTPS (port 443) traffic from the internet, but deny all other inbound traffic.

You would create an NSG and associate it with the subnet. Then, you'd define the following security rules:

                    
                        # Rule 1: Allow HTTP from Internet
                        Name: AllowHTTP
                        Priority: 100
                        Protocol: TCP
                        Direction: Inbound
                        Source: Internet (Service Tag)
                        Source Port ranges: *
                        Destination: Any
                        Destination Port ranges: 80
                        Action: Allow

                        # Rule 2: Allow HTTPS from Internet
                        Name: AllowHTTPS
                        Priority: 110
                        Protocol: TCP
                        Direction: Inbound
                        Source: Internet (Service Tag)
                        Source Port ranges: *
                        Destination: Any
                        Destination Port ranges: 443
                        Action: Allow

                        # Default Deny (implicit, but good to be aware of)
                        # Deny all other inbound traffic
                    
                

This setup ensures that only authorized web traffic can reach your application servers.

Best Practices

Use Service Tags: Leverage service tags (e.g., Internet, AzureLoadBalancer) instead of hardcoding IP addresses for common Azure services.
Use Application Security Groups (ASGs): Group VMs with similar port filtering needs into ASGs. This simplifies rule management, especially in large environments.
Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
Review and Audit: Regularly review your NSG rules to ensure they are still relevant and effective.
Order of Operations: Understand that rules are processed by priority. Be mindful when creating overlapping rules.
Use Descriptive Names: Give your rules clear and descriptive names for easier identification.

Next Steps

Now that you understand the basics of Network Security Groups, explore how to: