Introduction to Network Security Groups (NSGs)

On this page

What are NSGs?

Azure Network Security Groups (NSGs) act as a virtual firewall for your Azure resources to protect them from unauthorized access. An NSG contains a list of security rules that allow or deny network traffic to your Azure resources. NSGs can be associated with either subnets or individual network interfaces (NICs), and resources within that subnet or on that NIC inherit the NSG's rules.

Think of an NSG as a set of traffic cops for your virtual network. They inspect incoming and outgoing traffic and decide whether to allow it through or block it based on predefined rules.

How NSGs Work

NSGs operate by evaluating security rules based on priority. Each rule has a priority number, with lower numbers being processed first. Rules can be configured to allow or deny traffic based on various parameters:

  • Source: IP address, CIDR block, service tag, or application security group.
  • Source Port Range: The range of ports the traffic originates from.
  • Destination: IP address, CIDR block, service tag, or application security group.
  • Destination Port Range: The range of ports the traffic is destined for.
  • Protocol: TCP, UDP, ICMP, or Any.
  • Action: Allow or Deny.

NSGs process rules in order of priority. Once a rule matches, it is applied, and no further rules are evaluated for that traffic. If no rules match, the default rules are applied.

Default Rules: NSGs come with a set of default rules that can be helpful for initial setup but are often modified for enhanced security. These include rules for allowing inbound traffic from VNet, Azure Load Balancer, and denying all other inbound traffic, as well as rules for allowing all outbound traffic.

NSGs can be associated with:

  • Network Interfaces (NICs): Security rules are applied to traffic flowing to or from the resource associated with the NIC.
  • Subnets: Security rules are applied to all traffic flowing to or from resources within that subnet.

When an NSG is associated with both a subnet and a NIC, the rules are evaluated as follows:

  1. Inbound traffic is processed first by the subnet's NSG, then by the NIC's NSG.
  2. Outbound traffic is processed first by the NIC's NSG, then by the subnet's NSG.

Key Benefits

  • Granular Control: Define precise rules to allow or deny traffic based on IP addresses, ports, and protocols.
  • Network Segmentation: Isolate resources in different subnets or virtual networks, limiting the attack surface.
  • Compliance: Help meet regulatory requirements by enforcing strict network access policies.
  • Cost-Effective: Built into Azure, providing essential network security without additional hardware costs.
  • Integration: Seamlessly integrates with other Azure services like Virtual Machines, Load Balancers, and Virtual Network Gateways.

Common Use Cases

  • Protecting Web Servers: Allow inbound traffic only on port 80 (HTTP) and 443 (HTTPS) to your web servers, while denying all other inbound ports.
  • Securing Database Servers: Restrict inbound access to your database servers to only allow traffic from your application servers, typically on specific database ports (e.g., 1433 for SQL Server).
  • Isolating Development Environments: Create separate NSGs for development and production environments to prevent accidental access or data corruption.
  • Enforcing Outbound Restrictions: Limit outbound connections from your virtual machines to only necessary services and ports to prevent malicious software from communicating with command-and-control servers.