Network Security Group (NSG) Security Rules - Azure Networking Tutorials

Understanding Network Security Group (NSG) Security Rules

Network Security Groups (NSGs) are a fundamental component of Azure networking that allow you to filter network traffic to and from Azure resources in an Azure virtual network. You can associate NSGs with subnets, individual network interfaces (NICs), or both. NSGs contain a list of security rules that allow or deny network traffic based on criteria such as source and destination IP address, port, and protocol.

Key Concepts of NSG Security Rules

Each NSG contains a set of inbound and outbound security rules. These rules are processed in priority order, from lowest to highest. When a packet matches a rule, the corresponding allow or deny action is taken, and processing stops for that packet.

Rule Properties:

Priority: A number between 100 and 4096. Lower numbers indicate higher priority. Rules are processed in ascending order of priority.
Source: The source of the traffic. This can be an IP address, CIDR block, service tag, or application security group.
Source port ranges: The port(s) from which the traffic originates.
Destination: The destination of the traffic. Similar to source, can be IP address, CIDR block, service tag, or application security group.
Destination port ranges: The port(s) to which the traffic is directed.
Protocol: The protocol of the traffic (e.g., TCP, UDP, ICMP, Any).
Action: Whether to Allow or Deny the traffic.
Name: A unique identifier for the rule.
Description: Optional details about the rule.

Default Rules:

When you create an NSG, it comes with a set of default rules. These rules are read-only and provide basic network access:

AllowVNetInBound (Priority 65500): Allows all traffic within the virtual network.
AllowAzureLoadBalancerInBound (Priority 65501): Allows Azure load balancer health probe traffic.
DenyAllInbound (Priority 65502): Denies all inbound traffic except for the specifically allowed inbound traffic.
AllowVnetOutbound (Priority 65500): Allows all outbound traffic within the virtual network.
DenyAllOutbound (Priority 65501): Denies all outbound traffic except for the specifically allowed outbound traffic.

It's important to understand that the default rules are at the lowest priority. Any custom rules you create with lower priority numbers will be evaluated first. The DenyAllInbound and DenyAllOutbound rules act as a safety net.

Creating and Managing NSG Rules

You can create and manage NSG security rules using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Example: Allowing SSH Access to a VM

To allow Secure Shell (SSH) access (port 22) to a virtual machine, you would create an inbound security rule with the following properties:

Priority: e.g., 300
Source: Any (or a specific IP address/range for better security)
Source port ranges: *
Destination: Any
Destination port ranges: 22
Protocol: TCP
Action: Allow
Name: AllowSSH

Azure CLI example for allowing SSH:


az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name AllowSSH --protocol Tcp --priority 300 --destination-port-range 22 --access Allow --direction Inbound

Best Practices for NSG Security

Principle of Least Privilege: Only allow the traffic that is absolutely necessary. Deny all by default and explicitly allow required traffic.
Use Specific IP Addresses/Ranges: Whenever possible, restrict source and destination IP addresses instead of using 'Any' to minimize the attack surface.
Leverage Service Tags: Service tags represent a group of IP address prefixes from a given Azure service (e.g., `Storage`, `AzureCloud`). Using service tags simplifies rule management as Azure automatically updates the IP addresses associated with the tag.
Utilize Application Security Groups (ASGs): ASGs allow you to group VMs and apply network security rules to these groups, simplifying rule management for applications with many VMs.
Regularly Review NSG Rules: Periodically audit your NSG rules to ensure they are still relevant and secure. Remove any unused or overly permissive rules.
Layered Security: NSGs are one layer of defense. Combine them with other Azure security services like Azure Firewall, Azure DDoS Protection, and Azure Security Center for comprehensive security.

Remember that NSG rules are processed based on priority. If you have a lower priority rule that allows traffic, and a higher priority rule that denies it, the lower priority rule will take precedence.

Example: Denying access from a specific IP address

To block traffic from a known malicious IP address to your web servers on port 80 and 443:

Priority: e.g., 200 (higher priority than any general allow rules)
Source: 1.2.3.4 (the malicious IP)
Source port ranges: *
Destination: Any (or your web server subnet/IP)
Destination port ranges: 80, 443
Protocol: Any
Action: Deny
Name: BlockMaliciousIP

NSG Flow Logs

NSG Flow Logs provide visibility into the IP traffic flowing through an NSG. They record information about the originating IP address, destination IP address, source port, destination port, protocol, and whether the traffic was allowed or denied. This is invaluable for troubleshooting connectivity issues and auditing traffic patterns.

By effectively implementing and managing Network Security Group rules, you can significantly enhance the security posture of your Azure deployments.