Introduction to Network Security Groups
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Introduction to Network Security Groups (NSGs)
In modern cloud computing, the traditional perimeter firewall is no longer sufficient to protect your infrastructure. As workloads shift to distributed environments, the responsibility of securing individual virtual machine instances and subnets falls squarely on the shoulders of cloud administrators. This is where Network Security Groups (NSGs) come into play. An NSG acts as a virtual firewall for your cloud resources, allowing you to filter network traffic to and from resources in an Azure virtual network. By defining granular rules, you can control precisely who can access your servers and what services they can interact with, moving toward a "zero-trust" architecture.
Understanding NSGs is fundamental to cloud security because they represent the first line of defense against unauthorized access. Without properly configured NSGs, your virtual machines are exposed to the public internet or internal lateral movement by malicious actors. This lesson will guide you through the architecture, configuration, and management of NSGs, ensuring you can build hardened network environments that stand up to real-world threats.
Understanding the Architecture of Network Security Groups
At its core, a Network Security Group is a collection of security rules that allow or deny inbound and outbound network traffic. You can associate an NSG with a subnet or an individual network interface (NIC) attached to a virtual machine. When you associate an NSG with a subnet, the rules apply to all virtual machines within that subnet. If you associate an NSG with a specific NIC, the rules apply only to that single interface. This flexibility allows for a layered approach to security, often referred to as "defense in depth."
Callout: Subnet vs. NIC Association Choosing where to apply an NSG is a strategic decision. Applying an NSG to a subnet is generally easier to manage because you can protect a whole group of servers with a single policy. However, applying an NSG to a NIC provides more granular control, allowing you to tailor security rules to the specific needs of a single workload. Often, administrators use both: a subnet-level NSG for broad security policies and a NIC-level NSG for specific application requirements.
Every NSG contains a set of default rules that cannot be deleted, but they can be overridden by higher-priority rules that you create. These default rules allow traffic between virtual machines in the same virtual network, allow outbound traffic to the internet, and deny all other inbound traffic. By creating your own rules, you override these defaults to define your specific security posture.
The Anatomy of a Security Rule
Each security rule within an NSG is defined by a specific set of attributes that dictate how traffic is handled. When a packet arrives, the NSG evaluates rules based on their priority, starting with the lowest numerical value (e.g., 100 is evaluated before 200). Once a rule matches the traffic, processing stops, and the action (Allow or Deny) is applied.
- Priority: A number between 100 and 4096. Lower numbers are processed first.
- Name: A unique identifier for the rule.
- Source/Destination: You can specify IP addresses, IP ranges (CIDR blocks), service tags, or application security groups.
- Protocol: Options include TCP, UDP, ICMP, ESP, AH, or Any.
- Source/Destination Port Ranges: Specific ports (e.g., 80, 443) or ranges (e.g., 1024-65535).
- Action: Either "Allow" or "Deny."
Designing Effective Security Rules
Designing NSG rules requires a clear understanding of your application's communication patterns. Before you write a single rule, map out which services need to talk to each other. For example, a web server needs to accept traffic on port 80 or 443 from the internet, but it should only communicate with a database server on a specific database port (like 1433 for SQL Server).
Using Service Tags
Managing raw IP addresses is error-prone and difficult to maintain as your infrastructure scales. Instead of typing in specific IP ranges for common services, use Service Tags. A Service Tag represents a group of IP addresses from a given Azure service. For instance, if you want to allow traffic from your virtual machines to Azure Storage, you can use the Storage service tag instead of listing all the IP ranges for Azure Storage.
Tip: Minimize Rule Complexity Whenever possible, use Service Tags instead of static IP addresses. This ensures your rules stay up to date automatically as Azure adds or changes IP ranges for its services. If you must use IP addresses, document them thoroughly in your infrastructure-as-code files to avoid "configuration drift."
Practical Example: Creating a Web Server Rule
Suppose you are setting up a public-facing web server. You need to allow HTTP and HTTPS traffic from the internet while blocking everything else.
- Rule 1 (Allow HTTP): Priority 100, Source: Any, Destination: Any, Port: 80, Protocol: TCP, Action: Allow.
- Rule 2 (Allow HTTPS): Priority 110, Source: Any, Destination: Any, Port: 443, Protocol: TCP, Action: Allow.
- Rule 3 (Deny All): Priority 4000, Source: Any, Destination: Any, Port: Any, Protocol: Any, Action: Deny.
This simple configuration ensures that only web traffic reaches your server, while all other ports remain closed to the public.
Step-by-Step: Configuring an NSG via Azure CLI
Using the Azure CLI is often faster and more repeatable than using the web portal. Below is a step-by-step process for creating an NSG and adding a rule.
Step 1: Create the Network Security Group
First, you need to create the NSG resource in your resource group.
az network nsg create \
--resource-group myResourceGroup \
--name myWebServerNSG
Step 2: Create a Rule to Allow HTTP Traffic
Next, add a rule to allow inbound traffic on port 80.
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name myWebServerNSG \
--name AllowHTTP \
--priority 100 \
--source-address-prefixes '*' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 80 \
--access Allow \
--protocol Tcp \
--description "Allow inbound HTTP traffic"
Step 3: Associate the NSG with a Subnet
Finally, apply the NSG to your subnet to activate the rules.
az network vnet subnet update \
--resource-group myResourceGroup \
--vnet-name myVnet \
--name mySubnet \
--network-security-group myWebServerNSG
Warning: Lockdown Remote Management Never leave ports like 22 (SSH) or 3389 (RDP) open to the entire internet (
0.0.0.0/0). If you must access your servers remotely, restrict the source IP to your specific office or home network range. Ideally, use a Bastion service or a VPN instead of exposing management ports directly to the internet.
Advanced Concepts: Application Security Groups (ASGs)
As your environment grows, you will find that managing rules based on IP addresses becomes unmanageable. If you have 50 web servers, you don't want to update 50 different NSGs every time your database IP changes. This is where Application Security Groups (ASGs) become essential.
ASGs allow you to group virtual machines based on their role rather than their IP address. You can define an ASG called "WebServers" and another called "DatabaseServers." Then, you can write an NSG rule that says: "Allow traffic from the 'WebServers' ASG to the 'DatabaseServers' ASG on port 1433." This abstraction layer makes your security policy much easier to read and maintain.
When to use ASGs:
- You have multiple tiers in your application (web, app, data).
- You are using auto-scaling, meaning the number and IP addresses of your VMs change frequently.
- You want to create security policies that are logical and human-readable.
Comparison: NSG vs. Azure Firewall
It is common to confuse NSGs with Azure Firewall. While both provide network filtering, they serve different purposes within a cloud architecture.
| Feature | Network Security Group (NSG) | Azure Firewall |
|---|---|---|
| Scope | Subnet or NIC level | Virtual Network (VNet) level |
| Traffic Type | Layer 3 and Layer 4 (IP/Port) | Layer 3, 4, and 7 (Application/FQDN) |
| Cost | Free | Paid (Managed service) |
| Use Case | Micro-segmentation within a VNet | Perimeter security and egress filtering |
NSGs are best for controlling traffic between subnets and virtual machines, while Azure Firewall is designed to control traffic entering and leaving your entire VNet, including filtering based on specific domain names (e.g., allowing traffic only to api.github.com).
Best Practices for Managing NSGs
Security is a process, not a destination. To keep your network safe, follow these industry-standard practices:
- Principle of Least Privilege: Start by denying all traffic by default, then explicitly allow only the specific ports and protocols required for your application to function.
- Audit Regularly: Use tools like Azure Network Watcher to monitor traffic flows and identify rules that are never used. Remove unused rules to reduce the attack surface.
- Use Infrastructure as Code (IaC): Always define your NSGs using templates (Bicep, ARM, or Terraform). This ensures that your network security configuration is version-controlled, peer-reviewed, and repeatable.
- Avoid Port Overlap: Keep your rule priority numbers spaced out (e.g., 100, 200, 300) rather than sequential (100, 101, 102). This gives you room to insert new rules between existing ones without renumbering everything.
- Enable Flow Logs: Network Security Group Flow Logs allow you to log information about IP traffic flowing through your NSGs. This is crucial for forensic analysis after a security incident.
Common Mistakes and How to Avoid Them
Even experienced engineers often fall into common traps when configuring NSGs. Being aware of these pitfalls can save you hours of troubleshooting.
1. The "Open-to-All" Trap
Many developers, in their rush to get an application working, will set inbound rules to 0.0.0.0/0 for all ports. This is a massive security vulnerability. How to avoid: Always start with the most restrictive rule possible. If the application isn't working, use the "IP Flow Verify" tool in Azure Network Watcher to see exactly which rule is blocking your traffic.
2. Ignoring Outbound Rules
People often focus heavily on inbound traffic but neglect outbound traffic. If a server is compromised, an attacker will try to reach out to a Command and Control (C2) server to download malware. How to avoid: Limit outbound traffic from your subnets to only the specific endpoints required for your services (e.g., restricting access to specific API endpoints).
3. Misunderstanding Rule Priority
A common mistake is assuming that the NSG evaluates all rules and finds the "best fit." In reality, it stops at the first rule that matches the traffic. If you have a "Deny" rule at priority 100 that blocks all traffic from a range, and an "Allow" rule at priority 200 that opens a specific port, the traffic will be blocked. How to avoid: Always double-check your priority numbers and use the "Effective Security Rules" view in the Azure portal to see the final, evaluated state of your rules.
4. Over-complicating Rules
Creating 50 individual rules for 50 different IP addresses is a recipe for disaster. How to avoid: Use Service Tags and Application Security Groups to group similar resources. If you find yourself writing the same rule multiple times, it is time to look at an ASG or a broader subnet-level rule.
Deep Dive: Monitoring and Troubleshooting
When something goes wrong, the first place you should look is the "Effective Security Rules" blade in the Azure portal. This view shows you exactly what rules are being applied to a specific virtual machine, taking into account both the subnet-level NSG and the NIC-level NSG.
Using IP Flow Verify
If you suspect an NSG is blocking legitimate traffic, use the "IP Flow Verify" tool. You provide it with the source IP, destination IP, port, and protocol, and it will tell you exactly which rule is allowing or denying the packet. This is significantly faster than manually auditing hundreds of lines of rules.
Flow Logging for Forensics
If you need to know what happened in the past, you must have NSG Flow Logs enabled. These logs are stored in a storage account and can be analyzed using tools like Azure Sentinel or Power BI. They provide a historical record of every connection attempt, which is invaluable if you are investigating a potential breach or unauthorized access attempt.
Callout: The Zero-Trust Mindset In a zero-trust model, you never assume traffic is safe just because it originates from inside your network. NSGs are the perfect tool to enforce this. By treating your internal traffic with the same level of scrutiny as external traffic—using NSGs to segment your database tier from your web tier—you prevent lateral movement if one of your servers is compromised.
Advanced Scenario: Micro-segmentation
Micro-segmentation is the practice of dividing your network into small, isolated segments to control traffic between individual workloads. While this sounds complex, NSGs make it straightforward.
Imagine a three-tier application:
- Web Tier: Only accepts traffic from the internet on port 443.
- App Tier: Only accepts traffic from the Web Tier on port 8080.
- Data Tier: Only accepts traffic from the App Tier on port 1433.
By creating three separate subnets and assigning an NSG to each, you create a "chokepoint" for traffic. If an attacker gains access to the Web Tier, they cannot directly reach the Data Tier because there is no rule allowing that path. This is the gold standard for cloud network security.
Summary of Key Takeaways
As we conclude this lesson, remember that Network Security Groups are your primary tool for controlling the "who, what, and where" of your network traffic. Keep these core principles in mind as you build your cloud environments:
- Default Deny is Mandatory: Always adopt a "deny by default" stance. Only open the specific doors that your application absolutely needs to function.
- Priority Matters: Remember that rules are processed in order of priority. Keep your rules organized by using non-sequential numbering to allow for future growth.
- Leverage Abstractions: Use Service Tags and Application Security Groups to keep your configuration clean and maintainable. Avoid hardcoding individual IP addresses whenever possible.
- Security is Layered: Use both subnet-level and NIC-level NSGs to create a defense-in-depth strategy. Don't rely on a single rule to protect your entire environment.
- Monitor and Audit: Use tools like IP Flow Verify and Flow Logs to ensure your rules are doing what you think they are doing. Regularly prune rules that are no longer needed.
- Infrastructure as Code: Treat your NSG configurations like software. Use version control and automated deployment pipelines to ensure consistency across your environments.
- Zero-Trust: Assume that any resource could be compromised and design your network to limit the blast radius. Micro-segmentation is your best friend in preventing lateral movement.
By mastering these concepts, you transition from simply "connecting" resources to "securing" them. Network security is not a one-time setup; it is an ongoing practice of refinement, monitoring, and adaptation. As you gain more experience, you will find that these rules become second nature, allowing you to build complex, hardened architectures with confidence.
Frequently Asked Questions (FAQ)
Q: Can I have multiple NSGs on a single VM? A: You can have one NSG on a subnet and another on the NIC of the VM. In this case, the traffic is evaluated against both sets of rules. The traffic must pass both sets of rules to be allowed.
Q: Does an NSG block traffic within the same subnet? A: By default, NSGs do not block traffic between VMs in the same subnet because the default rule allows traffic between all virtual machines in the same virtual network. If you need to isolate VMs within the same subnet, you should move them to different subnets or use Application Security Groups.
Q: What is the limit on the number of rules in an NSG? A: Azure currently allows up to 4096 rules per NSG. While this is a high limit, you should strive to keep your rule sets small and focused to maintain performance and readability.
Q: If I delete an NSG, what happens to my VMs? A: If you delete an NSG that is associated with a subnet or NIC, the resources will no longer have that security layer. It is critical to ensure that you have a replacement or a broader security policy in place before deleting any active NSG.
Q: Can I copy an NSG configuration to another region? A: Yes, you can export your NSG configuration to a template (JSON or Bicep) and deploy that template to a different region. This is a common way to maintain consistent security policies across a global footprint.
Final Thoughts for the Practitioner
The journey to a secure network is continuous. As you move forward, challenge yourself to review your existing NSG rules. Are they still necessary? Are they as restrictive as they could be? Are there any hardcoded IPs that could be replaced with Service Tags or ASGs? By regularly questioning your configuration, you will naturally develop a more secure environment.
Remember that the goal of network security is to enable the business to function while minimizing risk. A well-configured NSG shouldn't just be a barrier; it should be a well-defined path that allows legitimate traffic to flow while efficiently blocking everything else. Stay curious, keep testing your rules, and always prioritize security in your architectural designs.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons