Network Security Groups - Security Rules

Understanding Azure Network Security Group Rules

Network Security Groups (NSGs) act as a virtual firewall for your Azure resources. They enable you to filter network traffic to and from Azure resources in an Azure virtual network. NSGs contain a list of security rules that allow or deny network traffic. NSGs can be associated with subnets or network interfaces.

What are Security Rules?

Each security rule specifies the following attributes:

Priority: Rules are processed in order of priority, starting with the lowest number.
Source: The origin of the network traffic (e.g., IP address, service tag).
Source Port Ranges: The specific port(s) the traffic originates from.
Destination: The target of the network traffic.
Destination Port Ranges: The specific port(s) the traffic is destined for.
Protocol: The protocol the rule applies to (e.g., TCP, UDP, ICMP, Any).
Action: Whether to Allow or Deny the traffic.
Direction: Whether the rule applies to inbound or outbound traffic.

Default Security Rules

When you create an NSG, it automatically comes with a set of default rules. These rules cannot be deleted but can be overridden by custom rules with higher priority (lower number).

Name	Priority	Source	Source Port Ranges	Destination	Destination Port Ranges	Protocol	Direction	Action
AllowVnetInBound	65001	VirtualNetwork	*	VirtualNetwork	*	*	Inbound	Allow
AllowAzureLoadBalancerInBound	65002	AzureLoadBalancer	*	*	*	*	Inbound	Allow
DenyAllInBound	65500	*	*	*	*	*	Inbound	Deny
AllowVnetOutBound	65001	*	*	VirtualNetwork	*	*	Outbound	Allow
DenyAllOutBound	65500	*	*	*	*	*	Outbound	Deny

Creating Custom Security Rules

You can create custom rules to define specific traffic flow policies. Here's an example of creating a rule to allow SSH traffic (port 22) from a specific IP address:

                
                    # Example: Allow SSH from a specific IP address

                    RuleName: AllowSSHFromMyIP

                    Priority: 300

                    Source: 203.0.113.1/32

                    SourcePortRanges: *

                    Destination: *

                    DestinationPortRanges: 22

                    Protocol: Tcp

                    Direction: Inbound

                    Action: Allow

Important: Rules are evaluated in order of priority. A rule with a lower priority number is processed before a rule with a higher priority number.

Rule Evaluation Logic

Traffic is evaluated against NSG rules in the following order:

The NSG associated with the target network interface (if any).
The NSG associated with the subnet of the target network interface.

For each NSG, rules are evaluated based on their priority.

Service Tags

Service tags represent a group of IP address prefixes from a given Azure service. Microsoft manages the IP address prefixes included in the service tag and automatically updates the service tag as the addresses change. You can use service tags as a source or destination in your security rules. Examples include Storage, AppService, and WindowsUpdate.

Ensure your security rules are configured correctly to allow necessary traffic while denying all other traffic to enhance your network security posture.

Next Steps

Learn how to analyze network traffic with NSG Flow Logs.