Network Security Groups (NSGs)

• Network Security Groups are stateful firewalls that filter network traffic to and from Azure resources within virtual networks
• Act as a subnet-level or NIC-level security layer containing access control rules based on source/destination IP, port, and protocol
• Each NSG can contain up to 1,000 security rules (default limit 200, can be increased)
• Rules are processed by priority number (100-4096, lower numbers processed first)

Rule Processing Logic

• NSG rules use 5-tuple matching: source IP, source port, destination IP, destination port, protocol
• Stateful behavior means return traffic for allowed connections is automatically permitted
• If no explicit rule matches, traffic is evaluated against default rules (cannot be deleted, only overridden)
• Processing stops at first matching rule - order matters critically

Default Security Rules

• AllowVNetInBound (Priority 65000): Permits all traffic within VNet address space
• AllowAzureLoadBalancerInBound (Priority 65001): Allows Azure health probes
• DenyAllInBound (Priority 65500): Blocks all other inbound traffic
• Similar outbound defaults exist with AllowVNetOutBound, AllowInternetOutBound, DenyAllOutBound

NSG Association and Scope

Association Options

• Subnet-level: Applied to all resources within the subnet (recommended approach)
• NIC-level: Applied only to specific network interface of a VM
• Both levels can be used simultaneously - subnet NSG processed first for inbound, NIC NSG processed first for outbound

Traffic Flow Evaluation

• Inbound: Internet → Subnet NSG → NIC NSG → VM
• Outbound: VM → NIC NSG → Subnet NSG → Internet
• Each NSG evaluation is independent - traffic must pass both if associated at multiple levels

Security Rule Configuration

Service Tags

• Predefined IP address prefixes for Azure services (automatically updated by Microsoft)
• Common tags: Internet, VirtualNetwork, AzureLoadBalancer, Storage, Sql
• Regional variants available (e.g., Storage.EastUS for region-specific endpoints)

Application Security Groups (ASGs)

• Logical grouping of VMs for security rule application
• Enables micro-segmentation without managing individual IP addresses
• Example: Group web servers in “WebTier-ASG” and reference in NSG rules instead of specific IPs

Practical Implementation

Common Rule Patterns

• Web tier: Allow ports 80/443 from Internet, deny all other inbound
• Database tier: Allow port 1433 only from application tier subnet, deny Internet access
• Management: Allow RDP (3389) or SSH (22) from specific admin subnets only

Best Practices

• Use descriptive rule names and document purpose in description field
• Start with priority 100 and increment by 100 to allow future insertions
• Apply NSGs at subnet level unless VM-specific rules required
• Leverage service tags instead of hardcoded IP ranges when possible
• Regular audit of rules - remove unused or overly permissive entries

Monitoring and Troubleshooting

• NSG Flow Logs capture allowed/denied traffic decisions (requires Storage Account)
• Effective Security Rules view shows combined rules from subnet and NIC NSGs
• Network Watcher’s IP Flow Verify tests specific traffic scenarios against NSG rules

Notes

• NSGs are free - no additional cost for basic network security filtering
• Rules cannot reference on-premises IP ranges directly - use VPN Gateway or ExpressRoute with appropriate routing
• Default rules cannot be deleted but can be overridden with custom rules using lower priority numbers
• NSG changes take effect immediately but may take 1-2 minutes to propagate across all network infrastructure
• Maximum 3,000 NSGs per subscription per region (soft limit, can be increased)
• When troubleshooting connectivity, always check both source and destination NSGs - traffic must be allowed in both directions for stateful connections
• Consider using Azure Firewall for more advanced features like FQDN filtering, threat intelligence, and centralized logging across multiple VNets