Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Associating Azure Network Security Groups

In this post, I will explain how the two options for associating a network security group (NSG) work, virtual machine NIC or subnet, and I’ll recommend a method to use.

Associate with a NIC

The first way to associate an NSG is to associate with a NIC; this is the method used when you next-next-next your way through creating a virtual machine in the Azure Portal. My choice of words might hint at my attitude to that but more on this later.
When you associate an NSG with a virtual machine’s NIC, the inbound and outbound rules allow or deny packets as the hit the NIC.

How filtering works with a NIC-associated NSG [Image Credit: Aidan Finn] — *How Filtering Works with a NIC-Associated NSG [Image Credit: Aidan Finn]*

Any inbound rule is applied after traffic leaves the subnet and attempts entry to the virtual machine via the NIC. A deny rule will drop the packet at this point and an allow rule will allow the packet in to be further inspected by any firewall in the guest OS, such as the Windows Firewall.
Associating an NSG with a NIC is very powerful and granular but in no time at all, this approach will become a nightmare to manage. One could have one NSG for lots of virtual machines but that will quickly become unworkable as rules become specialized and difficult to troubleshoot. In reality, this approach is OK for very small deployments that will remain very small, for example, a single virtual machine.

Associate with a Subnet

The second way to deploy an NSG in Azure is to associate it with a subnet of a virtual network. This is a deployment that you must do yourself and not featured in any default next-next-next process.
When you associate an NSG with a subnet, the inbound and outbound rules are applied to allow or deny packets when they enter the subnet. Inbound rules filter traffic as they enter the subnet. Outbound rules are applied the same way.

How filtering works with a subnet-associated NSG [Image Credit: Aidan Finn] — *How Filtering Works with a Subnet-Associated NSG [Image Credit: Aidan Finn]*

Once you have more than a few or even just one virtual machine, this is the preferred way to secure a virtual network at Layer-4 (TCP or UDP). If you apply good virtual network design practices, treating each subnet as a security boundary and placing similar machines in the same subnet, then this approach scales out. If you have a more complex subnet, such as those you might lift-and-shift migrate from on-premises, then you can use application security groups to identify roles within a subnet and apply rules to those roles.

by Aidan Finn
May 8, 2018

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where...

Top Azure Cloud Security Controls to Understand

Oct 31, 2023
Jan 08, 2024
Making Microsoft Azure Penetration Testing Work to Combat Threats

Nov 21, 2023
Azure VMware Solution – Maximizing Security and Control with Customer-Managed Keys

Oct 3, 2023
Oct 10, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.