Network Security Groups (NSG)

A Network Security Group (NSG) is a cloud-level firewall that filters network traffic to and from Azure resources in a virtual network (VNet). It contains a set of security rules that allow or deny inbound and outbound traffic based on source/destination IP addresses, ports, and protocols. NSGs are stateful: when a packet is allowed in one direction, the return traffic is automatically permitted, regardless of outbound rules. This stateful behavior is essential for protocols like TCP, where a connection requires bidirectional communication.

NSGs can be associated with either a subnet or a network interface (NIC) of a virtual machine. When associated with a subnet, the rules apply to all resources within that subnet. When associated with a NIC, the rules apply only to that specific VM. If both are applied, the subnet NSG rules are evaluated first, then the NIC NSG rules (or vice versa depending on traffic direction). For inbound traffic, the subnet NSG is evaluated first, then the NIC NSG. For outbound traffic, the NIC NSG is evaluated first, then the subnet NSG. This hierarchical evaluation is a common exam point.

Each NSG rule has the following properties: - Name: A unique name within the NSG. - Priority: A number between 100 and 4096. Lower numbers are evaluated first. Rules are processed in ascending priority order until a match is found. Once a match occurs, no further rules are evaluated. - Source / Destination: Can be an IP address, CIDR block, service tag (e.g., Internet, VirtualNetwork, AzureLoadBalancer), or application security group (ASG). - Protocol: TCP, UDP, ICMP, or Any (all protocols). - Direction: Inbound or Outbound. - Action: Allow or Deny. - Description: Optional metadata.

Rules are evaluated based on the five-tuple: source IP, source port, destination IP, destination port, and protocol. The first rule that matches all five parameters determines the action. If no rule matches, traffic is denied by default (implicit deny).

Every NSG includes a set of default rules that cannot be deleted but can be overridden by custom rules with lower priority. The default rules are:

Inbound default rules: - AllowVNetInBound: Priority 65000, allows all traffic from the virtual network (source VirtualNetwork) to any destination in the VNet. - AllowAzureLoadBalancerInBound: Priority 65001, allows traffic from Azure Load Balancer health probes (source AzureLoadBalancer). - DenyAllInbound: Priority 65500, denies all inbound traffic that hasn't been matched by previous rules.

Outbound default rules: - AllowVNetOutBound: Priority 65000, allows all traffic to the virtual network. - AllowInternetOutBound: Priority 65001, allows all outbound traffic to the internet (destination Internet). - DenyAllOutBound: Priority 65500, denies all outbound traffic not matched.

Note: The AllowInternetOutBound default rule means that by default, VMs can initiate outbound connections to the internet. To block outbound internet access, you must add a higher-priority (lower number) deny rule.

NSGs are stateful. When a packet is allowed inbound, the NSG automatically creates a flow entry for the return traffic. This return traffic is allowed regardless of outbound rules. Similarly, if outbound traffic is allowed, the inbound response is allowed. The flow is tracked for the duration of the TCP session (up to 4 minutes after the last packet) or for 60 seconds for UDP. This stateful behavior simplifies rule creation because you don't need to create symmetric rules for response traffic.

Service tags are predefined identifiers that represent a group of IP address prefixes from a given Azure service. They simplify rule creation by allowing you to specify VirtualNetwork, AzureLoadBalancer, Internet, Sql, Storage, etc., instead of individual IP ranges. Microsoft manages the prefixes behind service tags, so they automatically update as Azure IP ranges change. Service tags can only be used as source or destination in NSG rules, not as specific port/protocol filters.

ASGs provide a way to group VMs logically by application role (e.g., Web, Database) and use those groups as source or destination in NSG rules. Instead of using individual IP addresses or subnets, you can reference an ASG. This decouples security rules from IP addresses, making them easier to manage as VMs are added or removed. An ASG can contain multiple VMs, and a VM can be part of multiple ASGs. ASGs are only valid within the same VNet and cannot be used across peered VNets.

When troubleshooting, you can view the effective security rules for a VM or NIC. These are the union of all NSG rules applied to the subnet and NIC, with the evaluation order as described. The effective rules show which rules are actually enforced after considering priorities and associations. You can view this in the Azure portal under the VM's Networking blade or using Azure CLI:

az network nic list-effective-nsg --resource-group MyResourceGroup --name MyNic

NSGs are a basic firewall. For advanced filtering (e.g., application-layer inspection, URL filtering, threat intelligence), Azure Firewall is used. When both NSGs and Azure Firewall are deployed, traffic may traverse multiple layers. For example, traffic entering a subnet might be filtered first by the subnet NSG, then by the Azure Firewall (if the subnet's route table sends traffic to the firewall), and then by the NIC NSG. Understanding the order of evaluation is crucial for troubleshooting.

An NSG can have up to 1000 rules per direction (inbound/outbound) for a total of 2000 rules per NSG. However, the number of rules affects evaluation time. For best performance, keep rules to a minimum and use higher priorities for frequently matched rules. The maximum number of NSGs per subscription is 5000 (per region). Each subnet can be associated with up to one NSG, and each NIC can be associated with up to one NSG (or one per direction if using NIC-level NSGs).

NSG flow logs capture information about traffic that is allowed or denied by NSG rules. These logs can be sent to Azure Storage, Log Analytics, or Event Hubs for analysis. Flow logs are essential for security auditing and troubleshooting. To enable flow logs, you need a storage account and a Log Analytics workspace (optional). Flow logs are not enabled by default and must be configured per NSG.

You can create NSGs via the Azure portal, Azure CLI, PowerShell, or ARM templates. Example using Azure CLI:

# Create an NSG
az network nsg create --name MyNsg --resource-group MyResourceGroup --location eastus

# Create a rule to allow SSH inbound
az network nsg rule create --nsg-name MyNsg --resource-group MyResourceGroup --name AllowSSH --priority 100 --direction Inbound --access Allow --protocol Tcp --source-address-prefixes 203.0.113.0/24 --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22

# Associate NSG with a subnet
az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVNet --name MySubnet --network-security-group MyNsg

A company hosts a three-tier web application: web servers, application servers, and database servers, each in separate subnets within a VNet. The web servers must accept HTTPS traffic from the internet, the application servers must only accept traffic from the web servers, and the database servers must only accept traffic from the application servers on port 1433 (SQL).

Solution: Create an NSG for each subnet. For the web subnet, add an inbound rule allowing HTTPS from the Internet (using service tag Internet). For the app subnet, add an inbound rule allowing traffic from the web subnet IP range (or use an ASG for web servers). For the db subnet, add an inbound rule allowing traffic from the app subnet IP range on port 1433. All other inbound traffic is denied by default. Outbound rules are left as default to allow internet access for updates, but if needed, restrict outbound to specific services.

Common pitfalls: Forgetting to allow ICMP for troubleshooting, or misconfiguring the priority of deny rules. In production, use ASGs to avoid IP changes when scaling VMs.

A financial institution requires that VMs in a specific subnet cannot access the internet to prevent data exfiltration. However, they must be able to communicate with other VNets via VNet peering and receive patches from a local WSUS server.

Solution: Create an NSG for the restricted subnet. Add a high-priority outbound deny rule (priority 100) with destination Internet and action Deny. Then add a lower-priority allow rule (priority 200) for destination VirtualNetwork to allow VNet communication. Also add an allow rule for the WSUS server IP on port 8530. The default AllowInternetOutBound rule (priority 65001) will be overridden by the higher-priority deny rule. Test with IP flow verify to ensure internet is blocked.

Common issues: The deny rule must have a lower priority number (higher priority) than the default allow rule. If the deny rule has a higher number (e.g., 65500), it won't be evaluated because the default allow rule matches first.

A DevOps team uses autoscaling VMSS for a microservices architecture. Services are scaled up/down frequently, and IP addresses change. Manually updating NSG rules with IP addresses is impractical.

Solution: Create ASGs for each microservice (e.g., WebASG, ApiASG, DbASG). Add VMs to the appropriate ASG. Then create NSG rules that reference the ASGs as source or destination. For example, allow traffic from WebASG to ApiASG on port 8080. When new VMs are added to an ASG, the NSG rules automatically apply. This decouples security from IP addresses and simplifies management.

Performance consideration: ASGs are resolved to IP addresses at evaluation time, so there is a slight delay if ASGs change frequently. However, for most scenarios, this is negligible.