Azure architectureNetworkingIntermediate46 min read

What Is Network Security Group in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A Network Security Group, or NSG, is like a firewall for your cloud resources. It uses rules to allow or deny traffic based on things like IP addresses and ports. You attach an NSG to a subnet or a network card to protect your virtual machines.

Common Commands & Configuration

az network nsg create --name MyNSG --resource-group MyRG --location eastus

Creates a new network security group named MyNSG in the specified resource group and region.

Often appears in AZ-104 and Azure Fundamentals exams testing foundational commands for creating network resources. You must know the required parameters: name, resource-group, and location.

az network nsg rule create --nsg-name MyNSG --resource-group MyRG --name AllowSSH --priority 100 --direction Inbound --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22 --protocol Tcp --access Allow

Creates an inbound rule to allow SSH (TCP 22) from any source to any destination within the NSG.

Classic scenario for testing rule creation. Exams like AZ-104 ask about mandatory parameters like priority, direction, and access. Note the use of '*' wildcard; exams test if you know how to specify specific ranges.

az network nsg rule list --nsg-name MyNSG --resource-group MyRG --output table

Lists all rules in the NSG in a table format for quick review.

Used for troubleshooting and auditing. Exam questions may ask you to verify existing rules, and this command is faster than the portal. Understand the output fields like priority, source, and destination.

az network nsg show --name MyNSG --resource-group MyRG --query 'securityRules[?direction==`Inbound`].{Name:name,Priority:priority}'

Displays only the inbound rules with their names and priorities using a JMESPath query.

Demonstrates advanced filtering which is common in AZ-104 automation questions. Exams test your ability to extract specific data using --query parameter.

az network watcher flow-log configure --nsg MyNSG --resource-group MyRG --enabled true --retention 90 --storage-account mystorageaccount

Enables NSG flow logs for the specified NSG with a 90-day retention policy, storing logs in the given storage account.

Critical for SC-900 and Security+ exams that test logging and monitoring. Know that enabling flow logs has cost implications and requires a storage account. Retention policy is a common configuration detail.

az network watcher test-ip-flow --resource-group MyRG --vm MyVM --direction Inbound --protocol TCP --local 10.0.0.4:3389 --remote 203.0.113.1:*

Tests whether inbound RDP traffic from a remote IP to a VM is allowed or denied by the NSG.

IP Flow Verify is a key troubleshooting tool for AZ-104. Exams test scenarios where you need to quickly check if a specific flow is blocked. Understand the parameters: local (VM IP and port), remote (source IP and port).

az network nsg rule update --nsg-name MyNSG --resource-group MyRG --name DenyAllInbound --priority 150 --access Deny

Updates an existing rule to change its priority or action. Here, we change the priority of a deny rule to 150.

Tests your knowledge of modifying existing rules. In exams, you might need to adjust rule priorities to troubleshoot connectivity issues. Understand that priority must be between 100 and 4096.

Network Security Group appears directly in 50exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on AZ-104. Practise them →

Must Know for Exams

Network Security Groups are a core concept in several major certification exams. For the Azure exams (AZ-104, Azure Fundamentals, SC-900), NSGs are frequently tested. You need to understand the difference between NSG at the subnet level versus the NIC level, the evaluation order of rules, default rules, statefulness, and the use of service tags and application security groups. In AZ-104, expect scenario-based questions where you must decide which NSG configuration solves a particular connectivity or security requirement. For example, you might be asked to allow web traffic from the internet to a specific web server while blocking all other inbound traffic, and you need to choose the correct NSG rule configuration.

For Security+ and CySA+, NSGs represent a practical example of host-based or network-based firewalling. These exams focus on the concept of default-deny, least privilege, and segmentation. You may be asked to identify that an NSG is the appropriate solution for filtering traffic at the network layer before it reaches the operating system.

For the CISSP, NSGs tie into domain 4 (Communication and Network Security) and domain 3 (Security Architecture and Engineering). You need to understand how NSGs implement network access control lists (ACLs) and how they fit into a defense-in-depth strategy. The CISSP is more conceptual, but you might see a question that asks about stateful vs. stateless firewalls; NSGs are stateful, and that is a key distinguishing feature.

For AWS SAA, NSGs are not tested directly because this is an Azure term. However, the equivalent in AWS is Security Groups, and the concepts are parallel. If you are preparing for both platforms, knowing NSG helps you understand AWS Security Groups faster. For MD-102 and MS-102, NSGs appear in the context of managing endpoints and securing access to Azure AD joined devices. You might need to configure NSG rules to allow MDM enrollment traffic or block legacy protocols.

Simple Meaning

Imagine you are organizing a big party at a rented hall. The hall has several rooms, and each room can be entered through a door. You want to control who goes where so that only the right guests get into the right rooms.

A Network Security Group is like a bouncer standing at the door of each room. The bouncer has a list of rules written on a clipboard. One rule might say that anyone from your family is allowed into the main room, but strangers are stopped at the door.

Another rule might say that guests can leave through the back door only if they have a special exit pass. In the cloud world, your hall is your Azure environment. Each room is a virtual machine or a subnet (a group of machines).

The bouncer (the NSG) checks every single piece of traffic that tries to enter or leave that room. The traffic could be a web request coming from the internet to your website, or a file copy going from one server to another. The bouncer does not check the actual data inside the traffic – it only looks at the envelope: who sent it (the source IP address), where it is going (the destination IP address and port), what type of transport it uses (TCP or UDP), and the direction (inbound or outbound).

If the traffic matches an allow rule, it is let through. If it matches a deny rule, it is blocked. If there is no matching rule at all, the bouncer uses a default rule that blocks inbound traffic and allows outbound traffic.

This default behavior prevents accidental exposure of your resources to the internet. You can think of the clipboard as having two pages: one for inbound rules and one for outbound rules. Each rule has a priority number.

The smaller the number, the higher the priority. The bouncer checks rules in order from top to bottom, and the first rule that matches decides the action. If no rule matches, the default rule kicks in.

This system gives you fine-grained control over network traffic without needing to manage physical hardware firewalls.

Full Technical Definition

A Network Security Group (NSG) is a fundamental Azure networking component that acts as a distributed stateful firewall. It filters traffic at the network layer (Layer 3 and Layer 4 of the OSI model) by inspecting source and destination IP addresses, port numbers, and protocol types (TCP, UDP, or ICMP). NSGs are applied either to a virtual network subnet or to a network interface card (NIC) of a virtual machine. When applied to a subnet, the NSG rules affect all resources within that subnet. When applied to a NIC, the rules affect only that specific virtual machine.

Every Azure NSG contains two sets of rules: inbound security rules and outbound security rules. Each rule includes the following properties: name, priority (a number between 100 and 4096, lower is higher priority), source or destination IP address range (expressed as an IP prefix, CIDR block, service tag, or application security group), protocol (TCP, UDP, or Any), direction (Inbound or Outbound), action (Allow or Deny), and an optional description. Traffic is evaluated against rules in priority order. Once a rule match is found, evaluation stops and the specified action is applied. If no rule matches, the default rule for that direction is used. The default inbound rule denies all traffic, and the default outbound rule allows all traffic. These defaults can be overridden by creating custom rules with appropriate priority.

NSGs are stateful. This means that if you allow inbound traffic on a port, the NSG automatically allows the return outbound traffic for that connection, even if no explicit outbound rule exists. Conversely, if you allow outbound traffic, the return inbound traffic is allowed. Statefulness is tracked per flow; once the connection is terminated, the flow is removed. This simplifies rule management because you do not need to create symmetric rules for response traffic.

In addition to IP-based rules, NSGs support service tags. A service tag is a predefined group of IP address prefixes from a specific Azure service, such as AzureLoadBalancer, Internet, or VirtualNetwork. Using service tags makes rules easier to maintain and reduces the risk of misconfiguration. For example, you can create an outbound rule that allows traffic to the Azure SQL Database service without needing to track the constantly changing IP ranges of Azure SQL.

Another advanced feature is Application Security Groups (ASGs). With ASGs, you can group virtual machines by application function (e.g., WebServers, DatabaseServers) and then create NSG rules based on these logical groups. This allows you to define security policies that follow the application architecture, not just the network topology. For instance, you can create a rule that only allows traffic from the WebServers ASG to the DatabaseServers ASG on port 1433 (SQL) without having to maintain individual IP addresses.

NSGs do not inspect the contents of the packet (Layer 7). They only look at the packet header. For deeper inspection (such as malware scanning, intrusion detection, or URL filtering), you would need additional services like Azure Firewall or a third-party network virtual appliance. NSGs are also free of charge, but they are subject to Azure limits (e.g., up to 1000 rules per NSG, up to 200 NSGs per subscription).

When you create a virtual machine in Azure, you are often prompted to either create a new NSG or select an existing one. The portal creates a default NSG that allows inbound RDP (port 3389) for Windows or SSH (port 22) for Linux, and denies all other inbound traffic. Outbound traffic is allowed by default. This default behavior is suitable for initial development but is too permissive for production. In production, you would harden the rules to allow only specific inbound ports (e.g., 80 and 443 for web servers) and restrict outbound traffic based on business needs.

Operationally, NSG rules are evaluated by the Azure host running the virtual machine, not by a central device. This distributed design ensures no single point of failure and reduces latency. However, it also means that network logs must be enabled separately via Network Security Group flow logs, which can be sent to Azure Monitor for analysis. These logs record allowed and denied flows and are essential for security auditing and troubleshooting.

Real-Life Example

Think of a large office building with multiple floors and many rooms. Each floor has a main entrance, and each individual room also has a door. The building owner wants to control who can enter each floor and each room.

The owner hires a security team. The first layer of security is at the street entrance to the building (this is like a subnet NSG – it controls access to an entire group of resources). For example, only employees with a valid badge can enter the lobby.

That badge check is equivalent to an inbound rule that allows traffic only from specific source IP ranges (the employees' network). After entering, an employee might walk to the second floor. The second floor door also has a guard (like a subnet NSG).

This guard checks the floor-specific rule: only employees working on that floor, and only during business hours, are allowed in. But once inside the floor, there are individual offices. Each office door has its own guard (like a NIC NSG).

The guard at a specific office might say that only employees from the finance department can enter that room. Now imagine that a guest courier arrives with a package. The courier is allowed into the lobby (first guard) because the rule for the lobby allows delivery visitors.

But the courier is not allowed on the second floor because the rule there denies non-employees. The courier leaves the package at the lobby. That is exactly how NSG rules cascade: traffic must pass all layers of checks.

The most restrictive rule wins. In this analogy, each guard works independently but follows the same priority-based rulebook. If the lobby guard lets someone in, that does not guarantee the floor guard will also let them in.

The system gives you layered security. Each guard also remembers who they let in. So if an employee walks into the lobby, the elevator guard will let them go up without re-checking because the lobby guard already logged the entry.

This is the statefulness of NSGs – once a flow is allowed in one direction, the response is automatically allowed. In real life, you can also think of a nightclub with a VIP section. The main door has a bouncer (subnet NSG) that checks IDs and only allows people over 21.

Inside, another bouncer (NIC NSG) checks who can enter the VIP lounge. This layered approach is common in cloud deployments: you put a restrictive NSG on the subnet to block most threats, and then add more specific rules on individual VMs to fine-tune access.

Why This Term Matters

Network Security Groups are one of the most basic yet powerful security controls in Azure. They provide the first line of defense against unauthorized network access. Without an NSG, any resource in Azure that is assigned a public IP could be directly accessible from the internet on any port, which is a severe security risk. NSGs enable you to implement the principle of least privilege at the network level: you allow only the traffic that is explicitly needed for the application to function, and deny everything else.

In practical IT operations, NSGs are used to isolate environments. For example, you can place your development VMs in a subnet that has an NSG allowing only internal traffic, while your production web servers are in a separate subnet with an NSG that allows inbound HTTP and HTTPS from the internet. NSGs also help with compliance requirements such as PCI DSS, HIPAA, or SOC 2, where you must demonstrate controlled network access.

Another reason NSGs matter is cost. They are free to use, unlike Azure Firewall which incurs hourly costs. For many small to medium workloads, well-configured NSGs provide adequate security. They also integrate with Azure Policy, so you can enforce that every subnet has an NSG attached, ensuring baseline security across your entire subscription.

Finally, NSGs are essential for troubleshooting network connectivity issues. When a virtual machine cannot connect to the internet or is unreachable, the first thing you check is whether the NSG has a rule blocking the traffic. NSG flow logs can show you exactly which rule allowed or denied a packet, saving hours of debugging.

How It Appears in Exam Questions

Exam questions about Network Security Groups typically fall into three categories: configuration, scenario, and troubleshooting.

Configuration questions ask you to select the correct properties for a rule. For example: "You need to allow HTTP traffic from the internet to a virtual machine. Which source port, destination port, protocol, and action should you use?" The correct answer would be source port: Any, destination port: 80, protocol: TCP, action: Allow. A common distractor is to set the source port to 80, but that is incorrect because the source port is ephemeral.

Scenario questions describe a business requirement and ask which solution to implement. For example: "Your company has a three-tier application running in Azure. Web servers must be accessible from the internet on port 443. Application servers must only accept traffic from the web servers. Database servers must only accept traffic from the application servers. What is the most efficient way to configure NSGs?" The answer often involves using Application Security Groups: create an ASG for each tier, then create NSG rules referencing those ASGs.

Troubleshooting questions present a connectivity problem. For instance: "Users cannot access the web server at its public IP address. The VM is running, and the web service is started. The subnet has an NSG that allows inbound HTTP from the internet. What is the most likely cause?" The answer could be that the VM's NIC also has an NSG that denies HTTP. You must remember that traffic is evaluated by both the subnet NSG and the NIC NSG, and the most restrictive applies.

Another pattern involves default rules and priority. A question might state: "You create a custom inbound rule with priority 200 that denies all traffic from a specific IP range. You also have a default rule that allows all traffic from the virtual network. Traffic from that specific IP range is allowed. Why?" The answer is that the default rule has a priority of 65000, but the custom rule has a higher priority, so the custom rule should win. Actually, the correct reasoning might be that the custom rule deny is higher priority, so the traffic should be denied. The trap is that learners might think defaults override custom rules, but the opposite is true as long as the custom rule priority is lower (more specific).

You may also see questions about statefulness: "You allow inbound traffic on port 3389 from your office IP. Do you need to create an outbound rule for the response traffic?" The answer is no, because NSGs are stateful.

Practise Network Security Group Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: A company hosts an e-commerce website on Azure. The architecture includes a public-facing web server and a backend database server, both in the same virtual network but in different subnets. The web server must be reachable from the internet on ports 80 (HTTP) and 443 (HTTPS). The database server must only accept connections from the web server on port 1433 (SQL Server). You need to configure Network Security Groups to meet these requirements securely.

Solution: Create two NSGs. Attach the first NSG (WebNSG) to the subnet containing the web server. Create an inbound rule with priority 100 that allows TCP traffic from the internet (source: Any, source port: Any, destination: VirtualNetwork IP range, destination port: 80 and 443, protocol: TCP, action: Allow). Add a second inbound rule with priority 110 that denies all other inbound traffic from the internet (source: Any, source port: Any, destination: Any, port: Any, protocol: Any, action: Deny). This ensures that only HTTP and HTTPS are allowed from the internet; all other inbound traffic is blocked.

For the database server subnet, attach a second NSG (DbNSG). Create an inbound rule with priority 100 that allows TCP traffic from the web server subnet (source: IP range of web server subnet, destination: database subnet IP range, destination port: 1433, protocol: TCP, action: Allow). Create a second inbound rule with priority 110 that denies all other traffic (source: Any, action: Deny). Also, consider adding an outbound rule on DBNSG to block any outbound internet traffic from the database server (since databases should not initiate connections to the internet).

you could use Application Security Groups for more flexibility. Create an ASG called WebServers and assign the web VM to it. Then in the DBNSG, instead of specifying the IP range of the web subnet, reference the WebServers ASG as the source. This way, if you later add more web servers in different subnets, you just need to add them to the same ASG, and the NSG rule automatically applies.

This scenario demonstrates layered security, least privilege, and the use of NSGs to enforce network segmentation.

Common Mistakes

Confusing the order of rule evaluation – thinking that higher priority numbers are evaluated first.

Priority numbers work opposite: lower numbers (like 100) are evaluated before higher numbers (like 200).

Remember: priority is like a race – the lowest number wins.

Creating separate inbound and outbound rules for every allowed connection, forgetting that NSGs are stateful.

Statefulness means if you allow inbound traffic, the corresponding outbound traffic is automatically allowed. Adding separate outbound rules is redundant and can clutter your configuration.

Only create outbound rules when you need to restrict outbound traffic beyond the default 'allow all' or when you explicitly want to allow initiated outbound traffic.

Putting an NSG on a subnet that blocks essential Azure services like load balancer health probes.

Azure internal services often use specific IP ranges. For example, the Azure Load Balancer uses the source IP '168.63.129.16' for health probes. Blocking this IP can cause the load balancer to mark your instances as unhealthy.

Always include a rule that allows traffic from the AzureLoadBalancer service tag, typically with a priority high enough not to conflict but still allow necessary traffic.

Setting the source port on inbound rules to a specific value (like 443) thinking that restricts which clients can connect.

The source port on an incoming packet is ephemeral (random). Restricting it will likely break legitimate connections because clients use random source ports.

Always set source port to '*' (Any) in inbound rules. Filter by destination port instead.

Forgetting that an NSG attached to a NIC will override the subnet NSG for that specific VM.

Traffic is evaluated by both the subnet NSG and the NIC NSG. The most restrictive combination applies. If the subnet allows HTTP but the NIC denies it, the VM will not receive HTTP traffic.

Plan your NSG layering carefully. Use subnet NSGs for broad controls (e.g., block internet) and NIC NSGs for micro-segmentation.

Assuming NSG rules are applied globally across all regions or subscriptions.

NSGs are scoped to a specific region and are associated with resources in that region only. They do not cross region boundaries.

Create separate NSGs for resources in different regions.

Exam Trap — Don't Get Fooled

{"trap":"An exam question states: \"You have a virtual machine in a subnet. The subnet NSG has a rule that allows inbound HTTP from the internet. The VM's NIC NSG has a rule that denies all inbound traffic.

Will the VM receive HTTP traffic?\"","why_learners_choose_it":"Learners think that the subnet NSG is the first checkpoint, and since it allows HTTP, the traffic will reach the VM. They forget that the NIC NSG acts as a second filter."

,"how_to_avoid_it":"Traffic must pass both the subnet NSG and the NIC NSG. The NIC NSG denies all inbound traffic, so even though the subnet allows it, the NIC denies it. The VM will NOT receive HTTP traffic.

Always evaluate each layer separately and remember that the combined effect is the most restrictive."

Commonly Confused With

Network Security GroupvsAzure Firewall

Azure Firewall is a managed, stateful firewall-as-a-service that provides Layer 3 to Layer 7 inspection, including application rules, threat intelligence, and centralized logging. An NSG is a simpler, distributed stateful firewall that only filters at Layers 3 and 4, and is free. Azure Firewall is paid and provides deeper inspection but more complexity.

You use an NSG to allow HTTP from the internet to a web server. You use Azure Firewall if you need to block specific URLs or scan traffic for malware.

Network Security GroupvsNetwork Access Control List (NACL) in AWS

AWS NACLs are stateless, meaning you need separate rules for inbound and outbound directions for return traffic. NSGs are stateful. Also, NACLs operate at the subnet level only, while NSGs can be applied at subnet or NIC level. In AWS, Security Groups (stateful) are more equivalent to NSGs, not NACLs.

If you allow inbound SSH in an AWS NACL, you must also explicitly allow outbound ephemeral ports for the response. With an Azure NSG, you do not need that outbound rule.

Network Security GroupvsAzure Virtual Network (VNet) Peering

VNet peering connects two virtual networks so resources can communicate. It does not filter traffic itself. NSGs are used to control which traffic enters or leaves a subnet or NIC within a VNet. They work together: peering enables connectivity, NSGs enforce policy.

You peer two VNets so web tier and data tier can communicate. You then apply an NSG on the data tier subnet to only allow traffic from the web tier subnet.

Network Security GroupvsApplication Security Group (ASG)

ASGs are not a separate firewall but a way to group VMs logically. They are used as a source or destination in NSG rules to simplify management. An NSG is the rule holder; an ASG is a label. They complement each other.

Instead of listing IP addresses of all web servers in an NSG rule, you put them in an ASG called 'WebServers' and then reference that ASG in the rule.

Network Security GroupvsRoute Table

Route tables control the path traffic takes (next hop), not whether traffic is allowed. NSGs control permission, not routing. A route table might send traffic to a firewall appliance; the NSG decides if that traffic is permitted to leave the subnet in the first place.

A route table sends all internet-bound traffic through a firewall. An NSG on the subnet might block outbound traffic entirely, overriding the route table's purpose.

Step-by-Step Breakdown

1

Identify the scope of protection

Decide if you want to protect all resources in a subnet (subnet-level NSG) or just one virtual machine (NIC-level NSG). Typically, you apply an NSG at the subnet level for broad security, and an additional NSG at the NIC level for specific VMs that need different rules.

2

Create the Network Security Group resource

In the Azure portal, navigate to the NSG blade and click Create. Choose a subscription, resource group, region, and a name. The region must match the region of the resources you want to protect.

3

Define inbound security rules

Click on 'Inbound security rules' and add rules with a priority, source (IP, CIDR, service tag, or ASG), source port, destination (IP, CIDR, or ASG), destination port, protocol (TCP, UDP, or Any), and action (Allow or Deny). Start with the most specific rules at low priority numbers.

4

Define outbound security rules

Similarly, create outbound rules. By default, all outbound traffic is allowed. If you need to restrict outbound traffic (e.g., block internet access for a database), add a high-priority deny rule.

5

Associate the NSG with a subnet or NIC

Go to the NSG resource, click on 'Subnets' or 'Network interfaces', and associate it with the desired subnet or NIC. You can associate one NSG to multiple subnets or NICs, but a subnet or NIC can have only one NSG at a time.

6

Test connectivity

After association, test that the expected traffic flows and unintended traffic is blocked. Use tools like ping, telnet, or curl from allowed and denied sources. Check that the VM responds as configured.

7

Enable NSG flow logs

For monitoring and troubleshooting, enable flow logs. Go to the NSG, select 'NSG flow logs', and configure the storage account and retention. Flow logs capture allowed and denied flows and can be analyzed with Azure Monitor or third-party tools.

8

Periodically review and update rules

Security requirements change. Audit your NSG rules regularly to remove unused or overly permissive rules. Use Azure Advisor to get recommendations for tightening NSG rules.

Practical Mini-Lesson

Let us dive deeper into how NSGs work in practice. When you create an Azure virtual machine, the platform automatically suggests creating an NSG. This default NSG allows inbound RDP (port 3389) for Windows or SSH (port 22) for Linux from the internet. While convenient for testing, this is a major security hole if left unchanged. A real-world professional would modify these rules immediately.

First, understand the rule evaluation process. Imagine you have a web server that needs to serve HTTPS on port 443. You create a rule: Priority 100, Source: Any, Source Port: Any, Destination: VM IP, Destination Port: 443, Protocol: TCP, Action: Allow. Then you create a second rule: Priority 200, Source: Any, Source Port: Any, Destination: Any, Destination Port: Any, Protocol: Any, Action: Deny. This works: HTTPS traffic matches rule 100 and is allowed. Everything else matches rule 200 and is denied. But what if you also need SSH for administration from a specific office IP (say 203.0.113.50)? You would add a rule with Priority 150 that allows traffic from 203.0.113.50 to port 22. Because 150 is lower than 200, the SSH rule is evaluated before the global deny. Traffic from the office IP matches rule 150 and is allowed. Traffic from other IPs to port 22 fails to match rules 100 or 150, then matches rule 200 and is denied.

Now consider a common advanced scenario: outbound restriction. A database server should not initiate connections to the internet. By default, outbound traffic is allowed. You need to create a custom outbound rule with a low priority that denies all outbound traffic to the internet. However, you must still allow outbound traffic to Azure services like DNS (port 53) or Azure AD. To do this, you can create a high-priority allow rule for the VirtualNetwork service tag and the Azure-specific service tags before the deny rule.

Another practical aspect is that NSG rules support not only individual IPs but also IP ranges and CIDR blocks. For example, you can allow your entire corporate IP range (10.0.0.0/8) on multiple ports. But careful: large ranges can be too permissive. Use the principle of least privilege.

One common mistake in practice is forgetting that NSGs do not filter traffic between resources in the same subnet unless you also apply an NSG to the NIC. The subnet NSG does not filter traffic within the subnet by default. To isolate VMs within a subnet, you must apply NSGs to each NIC.

Finally, keep in mind the Azure resource limits. An NSG can have up to 1000 rules (500 inbound, 500 outbound). If you need more granularity, consider using ASGs to group rules, or split into multiple NSGs across subnets. Also, you cannot change the name of an NSG after creation, but you can update rules at any time without downtime.

In production, use Infrastructure as Code (IaC) tools like Azure Resource Manager templates, Terraform, or Bicep to define NSGs. This ensures consistency and allows version control. For example, a Bicep file can define an NSG with rules, then reference it in the subnet resource. This makes deployments repeatable and auditable.

How Network Security Group Rule Evaluation Order Works in Azure

Network Security Groups in Azure, or NSGs, are a core component of virtual network security and operate based on a specific and critical rule evaluation order. Understanding this order is essential for passing the AZ-104, Azure Fundamentals, and SC-900 exams, and it frequently appears in AWS SAA discussions as a contrast to AWS Security Groups. In Azure, an NSG contains a set of security rules that are evaluated in priority order. Each rule is assigned a numeric priority value, ranging from 100 to 4096, where a lower number indicates higher priority. When Azure processes network traffic entering or leaving a subnet or a network interface, it starts with the rule that has the lowest priority number and continues until it finds a match. Once a match is found, the specified action, either Allow or Deny, is applied immediately, and no further rules are evaluated. This is a key difference from some other cloud platforms where deny rules are evaluated first.

For example, suppose you have a rule with priority 100 that allows all inbound traffic from the internet to port 80, and another rule with priority 200 that denies inbound traffic from a specific IP range to any port. If traffic arrives from that specific IP range destined for port 80, the rule at priority 100 is checked first. Because that rule allows all inbound traffic from the internet, it matches, and the traffic is permitted. The deny rule at priority 200 is never reached. This demonstrates that the default-deny or explicit deny rules cannot override a higher-priority allow rule. This is a common source of misconfiguration and a frequent exam trap. The exam tests this by presenting scenarios where a deny rule seems to be in place but traffic is still flowing because an earlier allow rule with a lower priority number exists.

there are default Azure rules that are automatically created for every NSG. These include rules like AllowVnetInBound, AllowAzureLoadBalancerInBound, and DenyAllInbound, and similar outbound rules. These default rules have high priority numbers, such as 65000 and 65500, meaning they are evaluated last. They are designed to be overridden by custom rules. For instance, if you have no custom rule allowing SSH traffic, the DenyAllInbound rule will block it. Exam questions often ask about the priority order and how to ensure a specific traffic flow is allowed or denied. You must also remember that NSG rules are stateful. This means that if you allow inbound traffic from a specific source, the return traffic from the destination is automatically allowed, regardless of outbound rules. This stateful behavior is critical for scenarios involving RDP, SSH, or any two-way communication.

In exam contexts, especially for the Security+ and CySA+ exams, you might see questions that combine NSG rule evaluation with network segmentation or zero-trust models. The key takeaway is that priority numbers must be meticulously planned. A common best practice is to use incremental numbers like 100, 200, 300 to allow for future insertion. Avoid leaving large gaps unless you have a clear plan. The exam will test your ability to debug traffic issues by examining the priority order and identifying that a lower-priority rule should be assigned a lower number to be evaluated first. Another nuance is that NSG rules can be associated at the subnet level or the NIC level. When both are applied, the rules are evaluated in order but the subnet-level NSG is evaluated first, then the NIC-level NSG. This layered approach can sometimes cause unexpected denials if rules conflict. Exams, particularly the AZ-104, love to ask about this layered evaluation and how to troubleshoot traffic that is unexpectedly blocked or allowed. Understanding this evaluation order is not just theoretical; it is a practical skill for designing secure networks in Azure and is a recurring theme in certification exams across the board, including the CISSP where network security architecture is a key domain.

Diagnosing Network Security Group Issues with Azure NSG Flow Logs and Diagnostics

Network Security Group flow logs are a powerful feature in Azure that allows administrators and security engineers to capture information about IP traffic flowing through a network security group. This is a critical topic for the AZ-104, SC-900, and especially for the Security+ and CySA+ exams, which emphasize monitoring and logging. NSG flow logs provide insight into which rules are being hit, what traffic is allowed or denied, and the volume of traffic. They are part of Azure Network Watcher and are essential for troubleshooting connectivity issues, auditing network security, and meeting compliance requirements. When a connection fails or behaves unexpectedly, flow logs can show whether the traffic was denied by an NSG rule or if it was allowed but something else blocked it, such as a firewall or application-level issue.

For example, if a user complains they cannot RDP into a virtual machine, you can enable NSG flow logs on the NSG associated with the VM's subnet or NIC. After a few minutes, you can query the logs to see if inbound RDP traffic (port 3389) was allowed or denied. If the logs show that traffic was denied, you know the NSG is the culprit. If the logs show that traffic was allowed, you must look elsewhere, such as the guest OS firewall or the application itself. This diagnostic capability is a frequent exam question topic, where candidates must understand how to enable flow logs, interpret the output, and troubleshoot connectivity problems. The logs include source and destination IP addresses, ports, protocol, and the action taken (Allow or Deny). They also include the rule ID that matched the traffic, enabling you to pinpoint exactly which rule is affecting your traffic.

Enabling NSG flow logs is done through the Azure portal, PowerShell, or CLI. The logs are stored in an Azure Storage Account, sent to Azure Monitor Logs, or streamed to Event Hubs for real-time analysis. For exam purposes, you should know that flow logs have a cost associated with storage and data processing, so they are not enabled by default. The exam might ask you to recommend a solution for auditing traffic, and you should choose NSG flow logs over simpler metrics. Flow logs can be analyzed using Traffic Analytics, a feature within Network Watcher that provides a visual map of traffic flows, identifies top talkers, and detects anomalies. For the Security+ and CySA+ exams, this is related to security monitoring and incident response.

Another diagnostic tool closely related to NSGs is the Network Watcher IP flow verify. This tool allows you to test a specific traffic flow between a source and destination, and it will tell you whether the traffic is allowed or denied by the NSG, along with which rule took the action. This is faster than enabling flow logs and is ideal for ad-hoc troubleshooting. The AZ-104 exam often tests this by asking you to use IP Flow Verify to check if a specific connection is blocked. For instance, you can specify source IP 10.0.0.4, destination IP 10.0.1.5, port 443, protocol TCP, and the tool will simulate the traffic and return the result. This eliminates the guesswork involved in manually tracing rule priorities.

A common troubleshooting scenario involves traffic that is intermittently blocked. Flow logs can reveal if certain packets are being dropped due to asymmetric routing or if a rule is incorrectly configured to deny traffic from a specific subnet. For the CISSP and AWS SAA exams, you might compare this to VPC Flow Logs in AWS, but the underlying concept remains the same: centralized logging of network traffic for security analysis. Always remember that flow logs must be enabled per NSG, not per virtual machine, and that there is a limit on the number of flow logs you can have per region. The exam will also test your knowledge of log retention: by default, flow logs are stored for a configurable period, and if you don't set a retention policy, they are stored indefinitely, incurring costs. Mastering NSG flow logs and IP Flow Verify is crucial for passing network troubleshooting questions on Azure-related certifications and for demonstrating practical diagnostic skills in any cloud security role.

Understanding Azure NSG Default Rules and Service Tags for Exam Success

Azure Network Security Groups come with a set of default rules that are automatically created when you create an NSG. These rules are designed to provide baseline security while still allowing necessary internal traffic. Understanding these default rules, along with service tags, is a frequent and high-weight topic in exams such as AZ-104, Azure Fundamentals, SC-900, and even the AWS SAA when comparing cloud network security models. The default inbound rules include: AllowVnetInBound, which allows all traffic from within the virtual network; AllowAzureLoadBalancerInBound, which allows traffic from the Azure load balancer health probe; and DenyAllInbound, which blocks all other inbound traffic. The default outbound rules are similar: AllowVnetOutBound, AllowInternetOutBound, and DenyAllOutbound. These rules have priority values of 65000, 65001, and 65500, respectively. Because they have high priority numbers, they are evaluated last, meaning custom rules with lower priority numbers will take precedence.

Exam questions often test your ability to modify or supplement these rules. For example, if you want to allow SSH from the internet, you would create a custom inbound rule with priority 100 that allows TCP 22 from the Internet service tag. This custom rule will be evaluated before the DenyAllInbound rule, allowing SSH. Without that custom rule, SSH would be blocked by the default DenyAllInbound rule. The exam also tests the behavior of the AllowVnetInBound rule: it permits all traffic between virtual networks that are peered or connected via VPN, as long as the traffic originates from within the Azure backbone. This is crucial for multi-tier application architectures where a web tier needs to communicate with a database tier.

Service tags are another critical concept related to NSGs. A service tag represents a group of IP address prefixes from a specific Azure service, such as AzureLoadBalancer, VirtualNetwork, Internet, Sql, Storage, etc. When you create an NSG rule, you can use a service tag as the source or destination instead of specifying individual IP ranges. This simplifies rule creation and management, and ensures that when Azure adds or removes IP addresses for that service, the rule automatically updates. For example, to allow a virtual machine to access Azure SQL Database, you would create an outbound rule with destination service tag Sql. The exam loves to test service tags in scenario-based questions. For instance, they might ask: 'You need to ensure that only traffic from Azure Load Balancer can reach your virtual machines. Which source service tag should you use?' The answer is AzureLoadBalancer, not Internet. This is a trick because many candidates think the load balancer uses the Internet, but it uses its own service tag.

Another common exam scenario involves allowing traffic from a specific Azure service while blocking all other inbound traffic. You would create a deny-all custom rule with a low priority, then create an allow rule with an even lower priority for the specific service tag. But because of the rule evaluation order, you must be careful: if you create a custom deny rule with priority 200, and then an allow rule for the service tag with priority 100, the allow rule wins. If you reverse the priorities, the deny rule would block the service. Exams test this nuance heavily.

For the Security+ and CySA+ exams, understanding default rules is part of network security hardening. The default rules are not inherently secure if you allow all outbound internet traffic by default via the AllowInternetOutBound rule. Many security policies require you to modify this rule to deny outbound traffic by default and only allow specific destinations. This is a common exam question: 'How would you restrict outbound traffic from a subnet to only the internet? You would either change the default outbound rule or add a custom deny rule with a lower priority that blocks all outbound traffic except for a specific service tag or IP range.'

Finally, the CISSP exam might ask about the principle of least privilege as it applies to NSG rules. Default rules like AllowVnetInBound violate least privilege if you want to restrict internal east-west traffic. In such a case, you would need to create a custom deny rule that blocks traffic between subnets, allowing only specific flows. This requires careful priority management. Mastering default rules and service tags is non-negotiable for Azure certification exams and serves as a solid foundation for understanding cross-platform network security concepts.

Cost, Performance, and Best Practices for Azure Network Security Groups

While Network Security Groups are a free resource in Azure in the sense that there is no additional charge for the NSG itself, there are associated costs and performance considerations that are critical for exam success, especially for AZ-104, Azure Fundamentals, and SC-900. The primary cost indirectly related to NSGs is the cost of NSG flow logs. Enabling flow logs incurs charges for data storage in Azure Storage Accounts and for data processing when using Traffic Analytics. For the exam, you need to know that while NSGs themselves are free, the diagnostic and monitoring features are not. A common exam question might ask you to recommend a cost-optimized solution for auditing network traffic. You would need to balance between enabling flow logs for all NSGs (which can become expensive) and selectively enabling them for critical subnets only.

Performance considerations are equally important. NSGs are a software-defined network layer that apply rules to traffic flow. In general, NSGs do not introduce significant latency because they are implemented at the Azure hypervisor level using hardware acceleration. However, there are limits. Each NSG can support up to 1000 rules (combined inbound and outbound). For the exam, you should know that having too many rules, especially complex rules with many IP ranges, can impact performance, though it is often negligible. A more critical performance impact comes from the number of flows. Each NSG can handle a certain number of flows per second. If you exceed these limits, packets may be dropped. The exam might present a scenario where a high-traffic application experiences packet loss, and you must determine if the NSG is the bottleneck. In practice, NSGs scale well, but for extremely high-throughput workloads, you might consider using Azure Firewall or a third-party NVA for more advanced filtering.

Best practices for NSG configuration are a major theme in all Azure-related certifications and are also relevant for the Security+ and CISSP for general network security principles. First, always use the principle of least privilege. This means you should only allow traffic that is explicitly required, and deny all other traffic. A common mistake is to create overly permissive rules like 'Allow all inbound from any source to any port'. This defeats the purpose of an NSG. Second, use service tags whenever possible instead of IP ranges. Service tags are automatically managed by Azure, reducing administrative overhead and the risk of misconfiguration. For example, use the 'Sql' service tag instead of a list of IP addresses for Azure SQL. Third, plan your rule priority numbers carefully. Use gaps such as 100, 200, 300 to allow inserting new rules later without renumbering. Many exam questions test this by giving you a set of rules with priorities 100, 110, 120 and asking what happens when you add a new rule at priority 105.

Fourth, always consider layered security. An NSG at the subnet level provides a common security boundary for all resources in that subnet, while an NSG at the NIC level provides more granular control for individual VMs. Both can be applied simultaneously, and the subnet NSG is evaluated first, then the NIC NSG. This is a frequent exam scenario: a VM is not reachable even though the subnet NSG allows traffic, because the NIC NSG denies it. Troubleshooting this requires checking both layers. Fifth, document your rules and audit them regularly. Use Azure Policy to enforce compliant NSG configurations, such as ensuring no rules allow all inbound traffic from the internet. For the SC-900 exam, this aligns with governance and compliance concepts.

Another best practice is to use application security groups, or ASGs, to simplify rule management. ASGs allow you to group virtual machines logically (e.g., 'WebServers', 'DatabaseServers') and then create NSG rules based on those groups instead of individual IP addresses. This is highly exam relevant for AZ-104 and SC-900. For example, you can create a rule that says 'Allow inbound traffic from WebServers to DatabaseServers on port 1433'. This simplifies security management and scales well as you add more VMs. The exam tests your understanding of when to use ASGs versus IP-based rules. Always remember that NSGs are stateful. You do not need to create return flow rules; the return traffic is automatically allowed. This is a common trick in exam questions where they present a scenario requiring you to create both inbound and outbound rules, but the outbound rule is unnecessary because of statefulness. Understanding these best practices will not only help you pass exams but also design secure, efficient, and cost-effective network architectures in Azure.

Troubleshooting Clues

Cannot RDP into Azure VM

Symptom: RDP connection times out or is refused even though the VM is running.

The NSG associated with the VM's subnet or NIC likely does not have an inbound rule allowing TCP 3389 from your source IP. The default DenyAllInbound rule blocks all inbound traffic unless a custom allow rule is created.

Exam clue: Exams frequently present this as a scenario where you must check the NSG rules for inbound RDP and create an allow rule with a lower priority than the default deny.

Load balancer health probes marking VM as unhealthy

Symptom: Azure Load Balancer health probe fails intermittently, marking the VM as unhealthy even though the application is running.

The NSG must allow inbound traffic from the AzureLoadBalancer service tag on the health probe port (usually a custom port like 80 or 443). If the NSG blocks this traffic, the load balancer cannot check the health of the VM.

Exam clue: Common exam trick: ensure the NSG has an inbound rule allowing AzureLoadBalancer traffic to the health probe port. Many candidates forget to add this rule explicitly.

VM cannot connect to the internet

Symptom: Outbound internet access from the VM fails, but other internal resources are reachable.

Check the NSG outbound rules. By default, the AllowInternetOutBound rule allows all outbound traffic. If a custom rule with a lower priority denies outbound internet traffic, it will override the default.

Exam clue: Exams test your understanding of rule priority and default outbound rules. You may need to create a custom deny rule with a low priority to block internet, but this can inadvertently block access if not done carefully.

Traffic between two subnets in the same VNet is blocked

Symptom: Virtual machines in subnet A cannot communicate with VMs in subnet B, even though both are in the same virtual network.

Each subnet may have its own NSG. If one subnet's NSG denies inbound traffic from the other subnet's IP range, the traffic will be blocked. Also, check if the destination subnet's NSG allows inbound traffic from the source subnet.

Exam clue: Exams test the concept of subnet-level NSGs and how they can block east-west traffic. The default AllowVnetInBound rule should allow this, but if a custom deny rule is present, it will take precedence.

Application Security Group rules not working

Symptom: Traffic between two VMs that are part of different application security groups is blocked, even though there is a rule allowing the traffic based on ASG names.

The NSG rule referencing the application security groups must be correctly configured with the ASG ID or name. The VMs must be associated with the correct ASGs. A common error is using the wrong ASG name or forgetting to assign the ASG to the VM's NIC.

Exam clue: Exams test your ability to create rules using ASGs as source or destination. You must ensure that the ASG is applied at the NIC level and that the rule uses the ASG reference, not an IP range.

Intermittent connectivity due to NSG flow limits

Symptom: High-traffic application experiences packet drops or intermittent timeouts, especially during peak usage.

An NSG can handle up to 1000 rules but also has a maximum number of concurrent flows. If the number of flows exceeds the limit, packets may be dropped. This is more likely with many short-lived connections.

Exam clue: Less common but appears in advanced AZ-104 questions. The solution is either to increase the number of flows (not possible directly) or to use Azure Firewall for higher throughput and more granular control.

Cannot see NSG flow logs in storage account

Symptom: After enabling NSG flow logs, no logs appear in the storage account after several hours.

Possible causes: incorrect storage account key or name, missing permissions for Network Watcher to write to the storage account, or the retention policy is set to 0 days (which means logs are never stored). Also, logs are written in a specific path format (e.g., resourceid=/SUBSCRIPTIONS/...).

Exam clue: Exams test configuration requirements for flow logs. You must ensure the storage account is in the same region as the NSG and that Network Watcher is enabled. The retention policy must be greater than 0 days to retain logs.

Memory Tip

Remember NSG as "Never Stop Guarding" – it constantly checks every packet with a priority list.

Learn This Topic Fully

This glossary page explains what Network Security Group means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I attach the same NSG to multiple subnets?

Yes, one NSG can be associated with multiple subnets and multiple NICs. However, each subnet or NIC can only have one NSG associated at a time.

What happens if I have conflicting rules in the same NSG?

The rule with the lowest priority number is evaluated first. If a traffic matches that rule, the action (Allow or Deny) is applied and no further rules are checked. So the first rule matching wins.

Do NSGs support ICMP (ping)?

Yes, you can create rules with Protocol set to ICMP. However, by default ICMP is often denied unless you specifically allow it. For troubleshooting, you may need to allow ICMP inbound and outbound.

Are NSG rules applied in order of creation?

No, they are applied in order of priority number, not creation order. The priority property determines the evaluation sequence.

Can I use an NSG to block traffic to a specific website?

No, NSGs filter at Layer 3 and 4 (IP and port). They cannot inspect the URL. To block specific websites, you need Azure Firewall or a third-party web application firewall.

What is the difference between an NSG and a network security rule?

An NSG is the container that holds a collection of security rules. Each rule defines a specific allow or deny condition. So you have one NSG with many rules inside.

Does an NSG affect traffic between two VMs in the same subnet?

The subnet-level NSG does not filter traffic within the same subnet by default. To isolate VMs in the same subnet, you must apply an NSG to each VM's NIC.

Summary

A Network Security Group (NSG) is a fundamental Azure security component that acts as a distributed stateful firewall, filtering traffic at the network layer based on IP addresses, ports, and protocol. It controls inbound and outbound traffic to Azure resources such as virtual machines and subnets, and it is free to use. NSGs can be applied at the subnet level (affecting all resources in that subnet) or at the NIC level (affecting only one virtual machine). The rules within an NSG are evaluated in priority order, with lower numbers having higher precedence. Default rules block all inbound traffic and allow all outbound traffic, but you can customize rules to implement the principle of least privilege.

Understanding NSGs is critical for Azure certification exams, particularly AZ-104, Azure Fundamentals, and SC-900. You must know how to configure rules, the difference between subnet and NIC level application, the concept of statefulness, and how to use service tags and Application Security Groups. Common mistakes include forgetting about statefulness, misapplying priority, and failing to consider layered NSGs (subnet and NIC).

In the real world, NSGs are the first line of network defense in Azure. They help enforce security policies, meet compliance requirements, and reduce the attack surface. Always combine NSGs with other security measures like Azure Firewall for deeper inspection, and regularly audit your rules to prevent configuration drift. Remember: the network guard never stops checking.