Network Security Groups (NSGs)
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Mastering Network Security Groups (NSGs) in Azure
Introduction: Why Network Security Matters
In the modern landscape of cloud computing, the traditional "perimeter" of a network has largely evaporated. Where we once relied on physical firewalls sitting at the edge of an on-premises data center, cloud environments require a more granular, identity-centric, and software-defined approach to security. When you deploy resources into Microsoft Azure, you are essentially building a private virtual network (VNet) in a shared environment. If you do not configure your traffic controls correctly, you are leaving your virtual machines, databases, and application servers exposed to the entire internet.
Network Security Groups (NSGs) are the fundamental building blocks of Azure network security. Think of an NSG as a virtual firewall that operates at the packet level. It allows you to filter network traffic to and from Azure resources in an Azure virtual network. By applying rules that permit or deny traffic based on source IP, destination IP, port, and protocol, you gain the ability to enforce the principle of least privilege—the security concept that states users and systems should only have the access they absolutely need to perform their functions.
Understanding how to properly configure NSGs is not just a "nice to have" skill for a cloud administrator; it is a critical requirement for maintaining compliance, protecting sensitive data, and ensuring the availability of your applications. Misconfigured NSGs are one of the most common causes of security breaches and service outages in Azure. In this lesson, we will peel back the layers of how NSGs work, how to implement them effectively, and how to avoid the common traps that catch even experienced engineers.
Understanding the Architecture of NSGs
At its core, an NSG is a collection of security rules. These rules are applied to network interfaces (NICs), subnets, or both. When a packet arrives at an Azure resource, the NSG evaluates that packet against its list of rules to determine whether it should be allowed to proceed or be dropped. This evaluation process happens at the infrastructure level, meaning it is highly performant and does not add significant latency to your network traffic.
The Anatomy of an NSG Rule
Every security rule within an NSG consists of several key properties. Understanding these is essential for crafting precise traffic policies. When you create a rule, you must define:
- Priority: A number between 100 and 4096. Rules are processed in priority order, starting from the lowest number. Once a packet matches a rule, processing stops, meaning a high-priority rule will "win" over a lower-priority rule.
- Name: A unique identifier for the rule within the NSG.
- Port: The destination or source port range. You can specify a single port (e.g., 80), a range (e.g., 8000-8080), or an asterisk (*) to indicate all ports.
- Protocol: The transport layer protocol, such as TCP, UDP, ICMP, or ESP. You can also select "Any" to cover all protocols.
- Source/Destination: You can define these using IP addresses, CIDR blocks, Service Tags, or Application Security Groups (ASGs).
- Action: Either "Allow" or "Deny." This dictates whether the traffic is permitted to pass through the filter.
Callout: Default Rules vs. Custom Rules Every NSG you create comes with a set of default rules that cannot be deleted, but can be overridden. These include allowing traffic between virtual machines in the same VNet, allowing traffic from the Azure Load Balancer, and denying all inbound traffic from the internet. Your custom rules are evaluated before these default rules, allowing you to fine-tune security without accidentally opening up your entire environment.
The Evaluation Logic: How Azure Processes Traffic
A common mistake is assuming that rules are evaluated in the order they appear in the portal or that they are cumulative. In reality, Azure uses a "first-match" logic. When a packet enters an NSG, the system starts at the rule with the lowest priority number (e.g., 100). If the packet matches the criteria, the action is taken, and no further rules are checked.
If you have a rule at priority 100 that allows traffic from a specific IP, and a rule at priority 200 that denies all traffic from that same IP, the traffic will be allowed. The priority 200 rule is never even evaluated. This is why planning your priority numbering scheme is vital. It is common practice to leave gaps in your numbering (using 100, 110, 120 instead of 100, 101, 102) so you can easily insert new rules in the future without having to renumber your entire security policy.
Practical Implementation: Step-by-Step
Let's walk through the process of creating an NSG and applying it to a subnet.
Step 1: Creating the NSG
- Navigate to the Azure portal and search for "Network Security Groups."
- Click "+ Create."
- Select your subscription, resource group, and provide a name and region.
- Once created, click on the resource.
Step 2: Defining Inbound Rules
Suppose you have a web server that needs to accept public traffic on port 443 (HTTPS) but should only be manageable via SSH (port 22) from your office IP address.
- Inside the NSG, click on "Inbound security rules."
- Click "+ Add."
- For the HTTPS rule:
- Source: Any
- Source port ranges: *
- Destination: Any
- Destination port ranges: 443
- Protocol: TCP
- Action: Allow
- Priority: 100
- For the SSH rule:
- Source: IP Addresses (Enter your office CIDR, e.g., 203.0.113.0/24)
- Source port ranges: *
- Destination: Any
- Destination port ranges: 22
- Protocol: TCP
- Action: Allow
- Priority: 110
Step 3: Associating with a Subnet
An NSG is not active until it is associated with a subnet or a network interface. To apply this to a subnet:
- In the NSG menu, click "Subnets."
- Click "Associate."
- Select your Virtual Network and the specific subnet.
- Click "OK."
Tip: Subnet vs. NIC Association While you can associate an NSG with a NIC, it is generally best practice to associate them with subnets. Managing NSGs at the subnet level provides a centralized view of security for all resources in that subnet, reducing the likelihood of configuration drift or "forgotten" rules on individual virtual machines.
Advanced Filtering: Service Tags and ASGs
Managing IP addresses for every service is a nightmare. If you want to allow your web servers to talk to an Azure SQL Database, you would traditionally need to know the IP range of the database. Azure simplifies this with Service Tags.
Using Service Tags
A Service Tag represents a group of IP addresses from a specific Azure service. Instead of typing in a list of IP ranges for Azure Storage or Azure SQL, you simply use the tag Storage or Sql. Azure updates these ranges automatically as the cloud platform changes, ensuring your security rules never become obsolete.
- Common Service Tags:
Internet: Represents any traffic outside the VNet.VirtualNetwork: Represents the entire VNet, including peered VNets.AzureLoadBalancer: Represents the infrastructure probe that monitors your health.Sql: Represents the IP ranges for Azure SQL services.
Application Security Groups (ASGs)
Application Security Groups allow you to group your virtual machines based on their role rather than their IP address. For example, you might have a group of VMs labeled "WebServers" and another labeled "DatabaseServers." Instead of writing rules for individual VM IPs, you can write a rule that says: "Allow traffic from the 'WebServers' ASG to the 'DatabaseServers' ASG on port 1433." This makes your security policy much easier to read and maintain as your environment scales.
Code-Based Management: Azure CLI and PowerShell
For production environments, you should rarely manage NSGs through the web portal. Automating your security infrastructure ensures consistency, allows for version control, and prevents manual errors. Below is an example of how to create an NSG and a rule using the Azure CLI.
Creating an NSG with Azure CLI
# Create the Network Security Group
az network nsg create \
--resource-group MyResourceGroup \
--name MyWebNSG \
--location eastus
# Create an Inbound Rule for HTTPS
az network nsg rule create \
--resource-group MyResourceGroup \
--nsg-name MyWebNSG \
--name AllowHTTPS \
--protocol tcp \
--priority 100 \
--destination-port-ranges 443 \
--access allow
Explaining the Script
The az network nsg create command initializes the container for your rules. The az network nsg rule create command follows by defining the specific traffic flow. Notice how we use parameters like --priority and --destination-port-ranges to map directly to the settings we discussed earlier. By using scripts, you can deploy the same security template across multiple environments (Dev, Test, Prod) to ensure identical security postures.
Warning: The "Deny All" Trap Be extremely careful when adding "Deny" rules. It is very easy to accidentally lock yourself out of your own servers. Always ensure that you have an "Allow" rule for your management traffic (like SSH or RDP) before you add a broad "Deny" rule, and test your changes in a non-production environment first.
Best Practices for Network Security Groups
To maintain a secure and manageable Azure environment, follow these industry-standard best practices:
- Follow the Principle of Least Privilege: Start with a "Deny All" approach. Only open the specific ports required for your application to function.
- Use Descriptive Names: Do not name your rules "Rule1" or "Test." Use names like "Allow-HTTPS-From-Internet" or "Deny-SSH-From-Public-IP." This makes auditing and troubleshooting significantly faster.
- Document Your Rules: Keep a record of why a rule exists. If you see a rule in six months, you should be able to identify who requested it and why it was necessary.
- Leverage ASGs and Service Tags: Avoid hard-coding IP addresses whenever possible. Using dynamic identifiers makes your rules more resilient to changes in the Azure backbone.
- Enable NSG Flow Logs: NSG Flow Logs are a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through your NSGs. This is crucial for security analysis, compliance, and troubleshooting.
- Avoid Overlapping Rules: While the priority logic handles overlaps, having multiple rules that cover the same traffic can lead to confusion. Keep your rule set clean and concise.
- Regular Audits: Periodically review your NSGs to remove rules that are no longer needed. Stale rules are a common source of security vulnerabilities.
Common Pitfalls and Troubleshooting
Even with the best planning, things can go wrong. Here are some of the most common issues engineers face with NSGs:
- The "Hidden" Deny Rule: Users often forget that the default behavior of an NSG is to deny all inbound traffic from the internet unless explicitly allowed. If your traffic isn't flowing, check the default rules first.
- Conflicting Rules: If you have an NSG on a subnet and an NSG on a NIC, remember that both are evaluated. Traffic must pass through both to reach the VM. This "double-filtering" is a frequent cause of confusion.
- Ignoring Effective Security Rules: Azure provides an "Effective Security Rules" view in the portal for each network interface. If you are struggling to understand why traffic is being blocked, look at this view. It shows you the final, calculated set of rules that are actually being applied to the VM, combining all NSGs that affect it.
- Forgetting Load Balancer Probes: If you are using a load balancer, you must allow traffic from the
AzureLoadBalancerservice tag. If you block this, the load balancer will mark your servers as unhealthy and stop sending traffic to them, even if your application is running perfectly.
Comparison: NSGs vs. Azure Firewall
It is important to distinguish between NSGs and other security services like Azure Firewall.
| Feature | Network Security Group (NSG) | Azure Firewall |
|---|---|---|
| Scope | Subnet or NIC | Entire VNet (Hub-and-Spoke) |
| Filtering | Layer 3/4 (IP, Port, Protocol) | Layer 3, 4, and 7 (FQDN, URL, etc.) |
| Management | Distributed (per NSG) | Centralized |
| Cost | Free | Paid Service |
| Best For | Basic traffic filtering | Advanced, perimeter-based security |
Callout: When to use what? Use NSGs for your day-to-day traffic management between subnets and for basic port filtering. Use Azure Firewall when you need to control traffic based on fully qualified domain names (FQDNs), perform deep packet inspection, or manage security centrally across a large, enterprise-scale network.
The Role of NSGs in a Larger Strategy
NSGs do not exist in a vacuum. They are one component of a "Defense in Depth" strategy. In a robust Azure security architecture, you would combine NSGs with:
- Azure Bastion: To provide secure RDP/SSH access to your VMs without exposing them to the public internet.
- Azure Front Door or WAF: To protect your web applications from common exploits like SQL injection or cross-site scripting.
- Azure Policy: To enforce that all new subnets must have an associated NSG, preventing "security-less" deployments.
- Network Watcher: To visualize traffic flows and troubleshoot connectivity issues.
By integrating these tools, you move from a reactive security stance to a proactive one. You are no longer just "hoping" your firewall rules are enough; you are building a layered system where if one control fails, another is there to back it up.
Key Takeaways
As we conclude this lesson, let’s summarize the most important concepts to keep in your toolkit:
- Priority is Everything: Always remember the rule of 100-4096. Your rules are processed in order, and the first match wins. Use gaps in your numbering to allow for future flexibility.
- Default Rules are Your Foundation: Understand that the default rules are always present. You don't need to explicitly block things that are already blocked by default, but you must explicitly allow the traffic your application requires.
- Subnet Association is Preferred: While you can apply NSGs to individual NICs, managing them at the subnet level is cleaner and less prone to configuration errors as your infrastructure scales.
- Use Service Tags and ASGs: These abstractions are your best friends. They make your rules more readable, easier to maintain, and resilient to the changing IP landscape of the Azure cloud.
- Effective Security Rules are Your Best Tool for Debugging: If you ever get stuck, navigate to the "Effective Security Rules" tab on your virtual machine's NIC. It shows you the exact state of your network permissions, taking the guesswork out of troubleshooting.
- Defense in Depth: Never rely on NSGs alone. They are a vital layer in your security posture, but they work best when combined with identity management, application firewalls, and regular monitoring.
- Automation Over Manual Configuration: Use Infrastructure as Code (IaC) tools like Azure CLI, PowerShell, or ARM templates to manage your NSGs. This ensures that your security policies are consistent, versioned, and reproducible.
By mastering Network Security Groups, you are taking a significant step toward becoming a proficient Azure administrator. You now have the knowledge to protect your virtual networks, enforce compliance, and troubleshoot complex connectivity issues with confidence. Keep practicing these configurations in a lab environment, and always prioritize the principle of least privilege in every rule you write.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons