Create Network Security Group Rules

Creating Network Security Group Rules

This tutorial guides you through the process of creating and managing Network Security Group (NSG) rules in Azure. NSG rules control inbound and outbound traffic to Azure resources.

Understanding NSG Rules

An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Network (VNet). NSGs are associated with network interfaces (NICs) or subnets. When traffic is directed to a resource within an Azure VNet, the NSG associated with the network interface or subnet that the traffic is destined for, processes the traffic.

Each rule has the following properties:

Priority: Rules are processed in order of priority, from lowest to highest. Lower numbers indicate higher priority.
Source/Destination: Specifies IP addresses, CIDR blocks, service tags, or application security groups.
Port Range: Defines the network ports the rule applies to.
Protocol: Specifies TCP, UDP, ICMP, or Any.
Action: Allow or Deny.
Direction: Inbound or Outbound.

Creating a Rule via Azure Portal

Follow these steps to create a new NSG rule using the Azure portal:

Navigate to the Azure portal and select your Network Security Group.
In the left-hand menu, under Settings, select Inbound security rules or Outbound security rules depending on the direction of traffic you want to control.
Click the + Add button to create a new rule.
Configure the rule properties:
- Source and Destination: Choose from options like Any, IP Addresses, Service Tags, or Application Security Groups.
- Source port ranges and Destination port ranges: Enter the desired port numbers or ranges.
- Protocol: Select TCP, UDP, ICMP, or Any.
- Action: Choose Allow or Deny.
- Priority: Assign a unique priority number. Ensure it doesn't conflict with existing rules.
- Name: Provide a descriptive name for the rule.
- Description (Optional): Add a brief explanation of the rule's purpose.
Click Add to save the new rule.

Example: Allowing SSH Traffic

To allow inbound SSH traffic (TCP port 22) from any source to a virtual machine:

Source: Any
Source port ranges: *
Destination: Any
Destination port ranges: 22
Protocol: TCP
Action: Allow
Priority: Choose a low number (e.g., 300) to ensure it's processed before any general deny rules.
Name: AllowSSH

Example: Denying Outbound HTTP Traffic

To deny outbound HTTP traffic (TCP port 80) to any destination:

Source: Any
Source port ranges: *
Destination: Any
Destination port ranges: 80
Protocol: TCP
Action: Deny
Priority: Choose a priority that reflects its importance (e.g., 4000).
Name: DenyHTTP

Important: Remember that NSGs process rules in order of priority. A lower number signifies a higher priority. The default rules are processed last. Explicitly defined rules should have a lower priority number than the default rules they intend to override.

Rule Priorities and Default Rules

Every NSG comes with a set of default inbound and outbound rules. These rules cannot be deleted but can be overridden by rules with a lower priority number. Understanding these default rules is crucial:

Direction	Priority	Source	Destination	Protocol	Port	Action	Description
Inbound	65500	Any	Any	Any	*	Deny	Denies all inbound traffic.
Inbound	65501	VirtualNetwork	VirtualNetwork	Any	*	Allow	Allows all traffic within the virtual network.
Inbound	65502	AzureLoadBalancer	Any	Any	*	Allow	Allows Azure Load Balancer health probes.
Outbound	65500	Any	Any	Any	*	Deny	Denies all outbound traffic.
Outbound	65501	VirtualNetwork	VirtualNetwork	Any	*	Allow	Allows all traffic within the virtual network.
Outbound	65502	Any	Internet	Any	*	Allow	Allows all outbound traffic to the internet.

Warning: Be cautious when modifying or creating rules. Incorrectly configured rules can block legitimate traffic or expose your resources to unwanted access. Always test your rules after implementation.

Next Steps

Now that you know how to create NSG rules, learn how to associate NSGs with subnets and network interfaces.