Network Security Groups

Can be used to control traffic flow
NSGs can be applied at the subnet or NIC level but are always enforced at the NIC
- so apply at subnet level, easier to manage
- each subnet can have max 1 NSG assigned to it
- each NIC can have 0 or max 1 NSG associated with it

Security Rules consist of:

Source
Destination
Protocol
Port
Action
Priority
1. Lower priority number has higher priority

Source and destination

can be CIDR
can be service tags
ASG (Application Security Group) (Tags basically)

Default rules

VNet, Internet, etc are service tags.

Inbound

AllowVNetInBound
AllowAzureLoadBalancerInBound
DenyAllInbound

Outbound

AllowVnetOutBound
AllowInternetOutBound
DenyAllOutBound

How it works if both vnet and subnet have nsg

In terms of precedence. Whichever is the first thing traffic encounters. So,

Incoming

Subnet wins

Outgoing

VM NIC NSG wins

Create NSG in Azure

references:

NSG MS Docs processing of NSG

Subscribe to NordLetter

A weekly newsletter on living in Finland.

← Back to Til

UPDATED April 14, 2024 at 11:19

Thoughts? Email sajal@sajalchoudhary.net

9 Backlinks

Azure Bastion

TIL

Azure Network Watcher

TIL

Public IP Address Allows Inbound Access Based on Tier in Azure

TIL

Add Rules to NSG in Azure

TIL

Application Security Groups

TIL

Azure Service Endpoints and Service Endpoint Policies

TIL

Control Traffic Flows

TIL

Azure VNet

TIL

Azure Master

TIL