Azure Documentation

Microsoft Learn - Network Security Groups

Subnet Association with Network Security Groups

Network Security Groups (NSGs) are a fundamental component of Azure's network security. They allow you to filter network traffic to and from Azure resources in an Azure virtual network (VNet), specific subnets, and specific network interfaces (NICs). This article focuses on how to associate an NSG with a subnet.

Why Associate NSGs with Subnets?

Associating an NSG with a subnet provides network segmentation and security at the subnet level. This means that all resources within that subnet will inherit the security rules defined in the associated NSG. This approach is highly recommended for organizing security policies and ensuring consistent protection across your virtual network.

Tip: Associating an NSG with a subnet is generally more effective for broad security policies than associating with individual NICs, as it simplifies management.

Steps to Associate an NSG with a Subnet

Using the Azure Portal

1. Navigate to your Virtual Network

Sign in to the Azure portal and navigate to the Virtual Network that contains the subnet you want to secure.

2. Select the Subnet

In the Virtual Network blade, under 'Settings', click on 'Subnets'. Select the specific subnet you wish to associate an NSG with.

3. Associate the Network Security Group

On the subnet's configuration page, you'll see an option for 'Network security group'. Click on the dropdown and select 'Basic' or 'Advanced' if you want to create a new NSG, or choose an existing NSG from the list.

If you select 'Basic' or 'Advanced', you can create a new NSG at this point. If you choose an existing NSG, it will be immediately associated with the subnet.

4. Save Changes

Click 'Save' to apply the association. The selected NSG will now be applied to all resources within this subnet.

Using Azure CLI

You can also associate an NSG with a subnet using the Azure Command-Line Interface (CLI). First, ensure you have an existing NSG.

az network vnet subnet update --resource-group --vnet-name --name --network-security-group

Replace the placeholder values with your specific resource group name, VNet name, subnet name, and NSG name.

Using Azure PowerShell

Similarly, you can use Azure PowerShell:

$vnet = Get-AzVirtualNetwork -Name "" -ResourceGroupName "" $subnet = Get-AzVirtualNetworkSubnetConfig -Name "" -VirtualNetwork $vnet $nsg = Get-AzNetworkSecurityGroup -Name "" -ResourceGroupName "" $subnet.NetworkSecurityGroup = $nsg Set-AzVirtualNetwork -VirtualNetwork $vnet

Remember to replace the placeholder values.

Order of Operations and Precedence

It's important to understand how NSG associations and rules are evaluated:

  • NIC Association vs. Subnet Association: If an NSG is associated with both a NIC and its subnet, both NSGs are processed. The rules are applied in the following order:
  • Network Security Group associated with the NIC.
  • Network Security Group associated with the subnet.
  • Within each NSG, rules are processed based on priority, with lower numbers having higher priority.
  • Rules are evaluated for both inbound and outbound traffic.

Note: If a deny rule with the same priority exists in both the NIC-level NSG and the subnet-level NSG, the traffic is denied.

Example Scenario

Consider a virtual network with two subnets: 'FrontEnd' and 'BackEnd'.

  • An NSG named 'AppNSG' is associated with the 'FrontEnd' subnet. It allows inbound traffic on port 80 and 443 from the internet and denies all other inbound traffic.
  • An NSG named 'DbNSG' is associated with the 'BackEnd' subnet. It allows inbound traffic on port 1433 (SQL Server) only from the 'FrontEnd' subnet's address range and denies all other inbound traffic.

In this setup, web servers in the 'FrontEnd' subnet can receive web traffic, and database servers in the 'BackEnd' subnet can only be accessed by the 'FrontEnd' subnet, enhancing the overall security posture.