Last Update: Sep 04, 2024 | Published: Jun 28, 2016
In this post I will explain how network security groups (NSGs) can offer network security and policy enforcement for virtual networks in an Azure Resource Manager (ARM) or CSP deployment.
You can think of an NSG as being a simple form of distributed firewall that you create and that Microsoft applies within the Azure network fabric. You can create a policy and associate it with a virtual machine NIC or a subnet. Any rules that you create within the policy are applied to the associated resources.
Note: Classic/Azure V1/Service Management deployments allowed you to associate NSGs with virtual machines or subnets. ARM changes how networking is done, so you associate NSGs with NICs or subnets only.
The purpose of a NSG is to control traffic either by allowing or blocking it. We can create inbound security rules:
We can also create outbound rules:
What does this mean? You can create a single NSG and impact all machines on a subnet (recommended), or you can create an NSG that applies to a single NIC (not recommended). Microsoft is encouraging Azure customers to create a subnet for each tier of security in the network, which will make network design and troubleshooting much easier.
An NSG contains rules which enforce our network policies. The construction of the rules is pretty familiar:
There are three predefined tags that can be used to specify some common sources/destinations of traffic:
There are three default inbound rules in a network security group:
You can create rules with higher priorities that override the default rules. For example, I might create a rule, with a priority of 100, to allow TCP 80 inbound, which will override the default DenyAllInBound rule, which has a lower system priority of 65500.
There are also three default outbound rules, which you can also override. Note that all traffic within a VNet is allowed, and all outbound traffic to the Internet is also allowed.
Application Layer Security
NSGs provide a simple means for controlling traffic based on protocol, source/destination address, and source/destination port number. NSGs do not offer a mechanism for performing application layer inspection and filtering. If you need that level of security, then you should consider implementing a DMZ architecture with a virtual appliance from the Azure Marketplace. Microsoft recommends that the virtual appliance reside in its own small subnet (within the virtual network), and you can enforce usage of the firewall using user-defined routing and NSGs.