Azure Network Security Group (NSG) Rules
This document provides a comprehensive guide to understanding and configuring Network Security Group (NSG) rules in Microsoft Azure. NSGs are a fundamental component for network security, allowing you to filter network traffic to and from Azure resources in an Azure Virtual Network (VNet).
Understanding NSG Rules
An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Network interfaces (NICs) or to subnets. NSGs can be associated with a subnet or a NIC, or both. When an NSG is associated with both, the subnet-level rules are applied first.
Key Concepts:
- Direction: Rules can be Inbound (traffic entering your resource) or Outbound (traffic leaving your resource).
- Priority: Rules are processed in order of their priority number, from lowest to highest. A rule with a priority of 100 is processed before a rule with a priority of 200.
- Source/Destination: Specify IP addresses, CIDR blocks, service tags, or application security groups (ASGs) for traffic origins and destinations.
- Protocol: Define rules for TCP, UDP, ICMP, or Any.
- Port Range: Specify a single port, a range of ports, or an asterisk (
*) for all ports. - Action: The action can be Allow or Deny.
Tip: The default rules in an NSG provide basic security. It's recommended to review and customize these rules based on your specific application and security requirements.
Default NSG Rules
When you create an NSG, it automatically comes with a set of default rules. These rules cannot be deleted but can be overridden by user-defined rules with higher priority (lower number).
| Name | Priority | Source | Source Port Range | Destination | Destination Port Range | Protocol | Direction | Action |
|---|---|---|---|---|---|---|---|---|
| VNetInboundDefaultRule | 65500 | VirtualNetwork | * | VirtualNetwork | * | * | Inbound | Allow |
| AllowVnetInbound | 65501 | Any | * | Any | * | * | Inbound | Allow |
| DenyAllInbound | 65500 | Any | * | Any | * | * | Inbound | Deny |
| VnetOutboundDefaultRule | 65500 | VirtualNetwork | * | VirtualNetwork | * | * | Outbound | Allow |
| AllowAzureLoadBalancerInbound | 65000 | AzureLoadBalancer | * | Any | * | * | Inbound | Allow |
| DenyAllOutbound | 65500 | Any | * | Any | * | * | Outbound | Deny |
It's important to note that the default rules are processed after user-defined rules. The rule with the lowest priority number is processed first. For example, a user-defined rule with priority 100 will be processed before the default rules.
Creating and Managing NSG Rules
You can create and manage NSG rules using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.
Using the Azure Portal:
- Navigate to your Network Security Group in the Azure portal.
- Under Settings, select Inbound security rules or Outbound security rules.
- Click Add to create a new rule.
- Fill in the required fields: Source, Source port ranges, Destination, Destination port ranges, Protocol, Action, Priority, and Name.
- Click Add to save the rule.
Example: Allowing SSH traffic
To allow inbound SSH traffic (port 22) to a virtual machine, you would create an inbound security rule:
- Source:
Any(or a specific IP address/range) - Source port ranges:
* - Destination:
Any(or the private IP address of your VM) - Destination port ranges:
22 - Protocol:
TCP - Action:
Allow - Priority: A number lower than any
Denyrules that might block this traffic (e.g.,300). - Name:
AllowSSH
Example: Denying outbound RDP traffic
To deny outbound RDP traffic (port 3389) from your virtual machines:
- Direction:
Outbound - Source:
VirtualNetwork(or a specific IP/range) - Source port ranges:
* - Destination:
Any - Destination port ranges:
3389 - Protocol:
TCP - Action:
Deny - Priority: A number higher than existing
Allowrules but lower than theDenyAllOutboundrule (e.g.,350). - Name:
DenyOutboundRDP
Service Tags and Application Security Groups
Service tags and Application Security Groups (ASGs) simplify rule management by abstracting IP addresses.
- Service Tags: Represent a group of IP address prefixes from a given Azure service (e.g.,
Storage,AppService,WindowsUpdate). Using service tags makes it easier to manage security policies for services. - Application Security Groups (ASGs): Allow you to group virtual machines and their network interfaces by application. You can then use these ASGs as sources or destinations in your NSG rules, making it easier to manage traffic flow between application tiers.
Example using Service Tag: To allow outbound access to Azure Storage accounts, you can use the Storage service tag instead of listing numerous IP addresses.
Example using ASG: If you have a "WebTier" ASG and a "AppTier" ASG, you can create a rule to allow inbound traffic from "WebTier" to "AppTier" on a specific port.
Best Practices
- Principle of Least Privilege: Only allow the necessary traffic. Deny everything else by default.
- Use Service Tags and ASGs: For easier management and reduced complexity.
- Organize Rules: Use descriptive names and maintain a logical priority order.
- Regularly Review Rules: Ensure they align with your current security posture.
- Document Rules: Keep a record of why each rule exists.
- Avoid using
Anyfor Source/Destination: Whenever possible, be specific.