Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Network Security Groups

Introduction

  • Network Security Groups are access control lists that are attached to a virtual machine’s vNic or a subnet
  • By default, there are no inbound allow rules added to a NSG
  • NSG rules are stateful, meaning that if you allow traffic in one direction, the return traffic is automatically allowed
  • When you have rules applied to both subnet and vNic, the rules are combined. Any allow rules at the subnet level must also be allowed at the vNic level

Default Rules

  • There are 3 default inbound rules that are added to a NSG:

    • AllowVnetInBound - allow traffic within the vNet
    • AllowAzureLoadBalancerInBound - allow traffic from Azure Load Balancer
    • DenyAllInBound - deny all inbound traffic

  • There are 3 default outbound rules that are added to a NSG:

    • AllowVnetOutBound - allow traffic within the vNet
    • AllowInternetOutBound - allow traffic to the internet
    • DenyAllOutBound - deny all outbound traffic

Rule Priority

  • Rules are evaluated in priority order
  • The lower the number, the higher the priority
  • The default rules have a priority of 65,000

Rule Types

  • There are 2 types of rules:
    • Default Rules - cannot be deleted
    • Custom Rules - can be added, modified, or deleted

Rule Properties

  • Name - name of the rule
  • Priority - determines the order in which rules are applied
  • Source/Destination - can be an IP address, CIDR block, service tag, or application security group
  • Protocol - TCP, UDP, or Any
  • Port Range - single port, range of ports, or * for all ports
  • Action - Allow or Deny
  • Direction - Inbound or Outbound

Source Types

  • IP Address - single IP address
  • CIDR Block - range of IP addresses
  • Service Tag - predefined tag for Azure services
  • Application Security Group - group of VMs that can be used as a source or destination

Service Tags

  • Internet - all IP addresses
  • VirtualNetwork - all IP addresses in the vNet
  • AzureLoadBalancer - all IP addresses of Azure Load Balancer
  • AzureTrafficManager - all IP addresses of Azure Traffic Manager
  • GatewayManager - all IP addresses of VPN Gateway
  • AzureMonitor - all IP addresses of Azure Monitor
  • Storage - all IP addresses of Azure Storage
  • SQL - all IP addresses of Azure SQL
  • AppService - all IP addresses of Azure App Service
  • ContainerRegistry - all IP addresses of Azure Container Registry
  • KeyVault - all IP addresses of Azure Key Vault
  • AzureBackup - all IP addresses of Azure Backup
  • AzureDNS - all IP addresses of Azure DNS
  • LogAnalytics - all IP addresses of Azure Log Analytics
  • EventHub - all IP addresses of Azure Event Hub
  • ServiceBus - all IP addresses of Azure Service Bus
  • AzureCosmosDB - all IP addresses of Azure Cosmos DB
  • AzureContainerInstance - all IP addresses of Azure Container Instance
  • etc….