Network Security Groups (NSGs) in Azure are essential for managing network traffic to and from Azure resources in an Azure Virtual Network.
They contain security rules that can either allow or deny inbound and outbound network traffic based on several factors such as source and destination, port, and protocol.
NSGs can be associated with either a virtual network subnet or directly to a network interface in a virtual machine. The flexibility of NSG deployment allows for detailed traffic control for various Azure resources.
Applying NSGs to specific subnets or network interfaces allows for granular control of network traffic. For example, you can apply an NSG to a specific subnet within a virtual network to control the traffic in that particular segment.
Key Components of NSGs
Security Rules: Each NSG contains security rules that specify the source and destination IP addresses, port ranges, and protocols. These rules are based on a five-tuple (source, source port, destination, destination port, and protocol) approach, and are stateful, meaning they remember the state of connections.
Default Security Rules: Azure creates default inbound and outbound rules for each NSG. These include rules like AllowVNetInBound
, DenyAllInbound
, AllowVNetOutBound
, and DenyAllOutBound
. These rules can’t be deleted but can be overridden by creating custom rules with higher priority.
Rule Processing Order: Inbound traffic rules are processed in the order of their priority, starting from the lowest number. The process begins with the subnet’s NSG (if any), followed by the NSG associated with the network interface. Outbound traffic rules follow the reverse order, starting with the network interface’s NSG, then the subnet’s NSG.
Traffic Filtering and Routing: NSGs are used to filter network traffic to and from Azure resources. They can be used to define network security for a subnet or a virtual network, managing both inbound and outbound traffic based on specified rules.
In a nutshell, NSGs are stateful and act as a firewall to allow traffic to and from the resources (like VMs). Even if you want an Azure service (like Azure LoadBalancer) to access your resource, the NSG at both subnet and VM level must allow that.
Subscribe here to get a weekly gist of Azure Security posts directly to your email.
Follow me on LinkedIn and X to be get my posts on Cloud Security and DevSecOps.