Azure Network Security Groups
Azure Network Security Groups (NSGs) provide a mechanism for managing and securing network traffic within Azure virtual networks.
| Category | Network Security |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing varies based on usage and configuration; refer to Azure pricing page for details. |
| Target Audience | Network administrators, cloud architects, and security professionals. |
Azure Network Security Groups (NSGs) address the critical challenge of managing and securing network traffic within Azure virtual networks. These groups contain security rules that allow or deny inbound and outbound network traffic based on source and destination IP addresses, ports, and protocols.
The technical architecture of NSGs involves associating these groups with either subnets or network interfaces within a virtual network. Each NSG can contain multiple rules, with limits up to 200 rules per NSG, and a subscription can have up to 100 NSGs, although these limits can be increased upon request to Microsoft support.
When processing traffic, Azure evaluates NSG rules in a specific order: for inbound traffic, rules associated with the subnet are evaluated first, followed by rules associated with the network interface. For outbound traffic, this order is reversed. This hierarchical approach ensures granular control over network traffic, including intra-subnet communication.
Key operational considerations include the potential for rule conflicts when associating NSGs with both subnets and network interfaces, which can lead to unexpected communication issues. It is recommended to associate NSGs with either subnets or network interfaces, but not both, to avoid such conflicts.
From a technical standpoint, each rule in an NSG specifies properties such as source and destination (which can be IP addresses, CIDR blocks, service tags, or application security groups), protocol (TCP, UDP, ICMP, etc.), and port ranges. Augmented security rules, available in the Resource Manager deployment model, allow for multiple IP addresses and port ranges to be specified in a single rule, simplifying rule management.
Default security rules are also applied to each NSG, ensuring baseline security even if no custom rules are configured. These default rules can be overridden by custom rules to tailor the security posture to specific needs.
In summary, Azure NSGs provide a robust mechanism for filtering network traffic, enabling fine-grained control over access and egress in Azure virtual networks, while requiring careful management to avoid rule conflicts and ensure optimal performance.