Network Security Groups Design

Network Security Groups Design

Watch the video to deepen your understanding.

Subscribe

Complete the full lesson to earn 25 points

Work through each section, then tap “Mark as Complete” on the last one.

Section 1 of 3

✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro

Lesson: Network Security Group (NSG) Design

Introduction: What is an NSG?

In cloud infrastructure, a Network Security Group (NSG) acts as a virtual firewall for your cloud resources. It contains a list of security rules that allow or deny inbound and outbound network traffic to resources connected to virtual networks (VNets).

Why do we need them? Without NSGs, your cloud resources would be exposed to the public internet or internal lateral movement without any filtering. NSGs provide the "Zero Trust" foundation required to secure cloud environments, ensuring that only authorized traffic reaches your applications, databases, and management interfaces.


How NSGs Work: The Mechanics

An NSG works by evaluating traffic based on a 5-tuple:

  1. Source/Destination IP address
  2. Source/Destination Port
  3. Protocol (TCP, UDP, ICMP, etc.)
  4. Direction (Inbound or Outbound)
  5. Priority (Rules are processed in order from lowest number to highest number)

The Priority System

Rules are processed in priority order. Once traffic matches a rule, processing stops. If you have a rule with priority 100 that allows traffic and another with priority 200 that denies it, the traffic will be allowed. Always remember: Lower numbers = Higher priority.

Default Rules

Every NSG comes with default rules that cannot be removed but can be overridden:

  • AllowVnetInBound: Allows communication between resources within the same VNet.
  • AllowAzureLoadBalancerInBound: Allows health probes from the Azure Load Balancer.
  • DenyAllInBound: The final "fail-safe" that blocks everything not explicitly allowed.

Section 1 of 3
PrevNext