Network Security Groups – Virtual Networking
In quite simple terms, network security groups are a functionality in Azure used to filter and limit inbound and outbound traffic; in other words, they are similar to firewalls. An NSG is a collection of security rules that can be used to allow or deny inbound or outbound traffic. NSGs play a vital role in protecting VMs and other workloads that are deployed to a virtual network. Though we haven’t covered virtual machines yet, it’s good to have an understanding of NSG before we start talking about VMs. Each VM uses its network interface for communication with the resources in Azure, on-premises, and on the Internet. NSGs can be associated with a subnet, or a network interface based on your requirement. NSGs are reusable, which means you can have multiple NICs or subnet associations to a single NSG. NSGs operate at layer 4 of the OSI model.
NSG Concepts
Before we create an NSG, it’s important to understand the concepts related to NSG. As mentioned earlier, NSGs can be associated with subnets or NICs; let’s understand the purpose of these assignments and other concepts.
Subnets
Protected screened subnets can be created by assigning an NSG to subnets. You can protect all the workloads in a subnet by associating NSGs. Once you associate them, all traffic will be evaluated based on the rules you have added to the NSG. You can associate zero or one network security group to each subnet.
Network Interfaces
You can associate an NSG with the NIC of the virtual machine. All traffic that flows through the NIC will be evaluated based on the NSG rules. If you have an NSG associated with both subnet and NIC, then you will follow the effective NSG rules. We will cover the effective NSG rules in the next section. Each NIC can have zero or one NSG associated to it. When you create a VM, the NSG is automatically created with it and associated with the NIC, unless you specify another NSG.
NSG Rules
An NSG is a collection of security groups that can be used to filter inbound and outbound traffic of subnets and NIC. Whenever you create an NSG, there will be some default rules added by Azure to facilitate the virtual network traffic and load balancer traffic. Rules can be created by specifying the following parameters:
- Name: This is a friendly name given to the rule to identify the rule, which is unique.
- Priority: Priorities can be used to prioritize rules, and the value can be between 100 and 4096. The lower the value, the higher the priority. If you have a deny rule with priority 100 and an allow rule with priority 110, the deny action will be executed. This priority range doesn’t apply for the default rules, and it gets automatically applied by Azure. Also, it’s not possible to create two rules with the same priority.
- Port: Specify port numbers or a range of ports for both the source and the destination.
- Protocol: This can be Any, ICMP, TCP, and UDP.
- Source: This can be Any, IP addresses, application security groups, or service tag (a set of IP addresses maintained by Azure representing Azure services).
- Destination: This can be Any, IP addresses, or service tag (a set of IP addresses maintained by Azure representing Azure services).
- Action: This is to allow or deny traffic.
The rules are evaluated based on the priority value you assign to the rule. The lower the value, the higher the priority. For example, if you have a deny rule with a priority of 200 and an allow rule with priority 300, the deny rule will take effect as the lower value takes higher priority. There are two types of rules.
- Inbound rules: By default, there will be three inbound security rules (allow virtual network traffic, allow load balancer traffic, deny all other traffic) added to an NSG when you create NSG. All inbound traffic except the traffic from virtual network and Azure load balancer is not allowed. If you need to allow additional traffic, you need to add a respective rule. For example, if you are connecting to a Linux machine, you need to add an inbound rule to allow traffic on TCP port 22.
- Outbound rules: By default, there will be three rules: allow outbound traffic to the Internet and virtual network and deny all other traffic.
You will see how these rules can be implemented when you perform Exercise 3.10.