Network Security Groups

Network Security Groups

Posted on Sep 06, 2022 (0)

Network Security Groups

Azure NSG is used to filter Network traffic to and from Azure resources in an Azure Virtual Network. NSG contains the security rules that is used to allow or deny any traffic from different Azure Resources.  

A NSG contains Zero or as many as rules as we need within Azure Subscription limit.

Below are some fields that are used to create Rules:

  • Name: A Unique name with in NSG.
  • Priority: Priority defines order in which rules are processed. It is number between 100 and 4096. Lower number have high priority and are processed first. Once rule matches, Processing stops.
  • Source or Destination: Any or individual IP address, CIDR block, Service tag, or Application Security group.
  • Protocol: TCP, UDP, ICMP, ESP, AH or Any.
  • Direction: Inbound or Outbound.
  • Port-Range: Can specify Specific Port or range of Port. (Eg: 80, or 100-2345)
  • Action: Allow or Deny

Security rules are evaluated and applied based on five-tuple (Source, Destination , Source Port , Destination , Destination port , Protocol ).

A Flow record is created for existing connections and communication is allowed or denied based on connection state of the flow record. Flow records are stateful in Nature.

If Inbound port is allowed over a port, it is not necessary to specify an outbound security rule to respond to traffic over the port.

Default Security Rules

Azure has following default rules in each network security group you create. Below are default security rules:

You cannot remove default rules, but you can override them by creating rules with higher Priorities.

Augmented Security Rules

Augmented Security Rules are security definition for Virtual networks, allowing you to define larger and complex network security policies with fewer rules. In this you can combine multiple ports and multiple explicit IP address and ranges in to a single, easy understood rule.

Service Tags

It represents a group of IP address prefixes from a given Azure Service. It helps to Minimize the complexity of frequent updates on Network Security rules.  

 NSG traffic Flow and Filtration process

Below is the discussed Scenarios, which we will use to discuss – How NSG deployed to allow network traffic to and from Internet over TCP port 80.

Inbound Traffic:

For Inbound traffic, Azure process the rules in NSG associated to subnet first if exists and then rules in NSG to Network Interface, if there is one.

For VM1: Rules in NSG1 are processed first as it is associated to subnet1. If the traffic is allowed on TCP port 80, it will pass the traffic else traffic will be denied by default Security rule: DenyAllInbound and is never evaluated by NSG2. Once traffic is passed by NSG1, Traffic will hit to NSG2 rules and the rules are present in NSG2, it will allow inbound traffic to pass.

For VM2:  The rules in NSG1 are processed because VM2 is also in Subnet1. Since VM2 doesn't have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.

For VM3: Since there's no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.

For VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

Outbound Traffic:

For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there's one, and then the rules in a network security group associated to the subnet, if there's one. This includes intra-subnet traffic as well.

For VM1: The security rules in NSG2 are processed. Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.

For VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 doesn't have a network security group associated to it. The rules in NSG1 are processed.

For VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group isn't associated to Subnet2.

For VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

Intra-Subnet Traffic

security rules in an NSG associated to a subnet can affect connectivity between VMs within it. By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If a rule is added to *NSG1 that denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other.


    You are will be the first.


Please login here to comment.