Azure Networking Tutorials

Understanding Network Security Groups (NSGs) in Azure

Network Security Groups (NSGs) are a fundamental component of network security in Azure. They act as a basic firewall for your virtual machines (and other Azure resources) to control inbound and outbound network traffic. This tutorial will guide you through the concepts, creation, and management of NSGs.

What is a Network Security Group?

An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated with:

• Subnets: Rules applied to a subnet affect all resources within that subnet.
• Network Interfaces (NICs): Rules applied to a NIC affect only that specific resource.

When you associate an NSG with a subnet and a NIC, Azure applies the rules from both. The order of evaluation and priority of these rules are crucial.

Key Concepts

• Security Rules: Each NSG consists of multiple security rules. These rules are numbered and processed in order of priority.
• Priority: A number from 100 to 4096. Lower numbers have higher priority. Azure processes rules starting from the lowest priority number.
• Direction: Rules can be for Inbound or Outbound traffic.
• Protocol: TCP, UDP, ICMP, or Any.
• Source/Destination: Specify IP addresses, CIDR blocks, service tags, or application security groups.
• Source/Destination Port Ranges: Define the ports for traffic.
• Action: Allow or Deny.

Creating a Network Security Group

You can create an NSG using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Using the Azure Portal:

1. Navigate to the Azure portal.
2. Search for "Network security groups" and select it.
3. Click "Create".
4. Fill in the subscription, resource group, name, and region.
5. Click "Review + create" and then "Create".

Associating an NSG with a Subnet or NIC:

After creating an NSG, you need to associate it:

1. Go to your Network Security Group resource.
2. Under "Settings", select "Network Interfaces" or "Subnets".
3. Click "Associate" and choose the desired NIC or subnet.

Managing Security Rules

Once an NSG is created and associated, you can add, modify, or delete security rules.

Adding a Custom Rule:

1. Navigate to your Network Security Group.
2. Under "Settings", select "Security rules".
3. Click "Add".
4. Provide a name, priority, source/destination details, protocol, port, and action (Allow/Deny).
5. Click "Add".

# Azure CLI command example
az network nsg rule create \
  --resource-group <YourResourceGroup> \
  --nsg-name <YourNSGName> \
  --name AllowSSHInbound \
  --priority 300 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --src-port-range '*' \
  --dst-port-range 22 \
  --src-address-prefix '*' \
  --dst-address-prefix '*'
            

Inbound vs. Outbound Security Rules

• Inbound Rules: Control traffic coming *into* your Azure resources (e.g., from the internet or other VNets).
• Outbound Rules: Control traffic going *out* from your Azure resources (e.g., to the internet or other VNets).

Rule Processing Order

Azure processes NSG rules in the following order:

1. Default Inbound Rules (lowest priority first)
2. Custom Inbound Rules (lowest priority first)
3. Default Outbound Rules (lowest priority first)
4. Custom Outbound Rules (lowest priority first)

The first rule that matches the traffic in terms of priority, direction, protocol, and IP addresses determines whether the traffic is allowed or denied. If no rule matches, the traffic is denied by default.

Best Practices

• Use the principle of least privilege: Only allow the traffic that is absolutely necessary.
• Group NSGs logically with subnets or application components.
• Utilize service tags for simplified management.
• Regularly review your NSG rules.
• Consider using Application Security Groups (ASGs) for more granular control over application workloads.