In the current ongoing blog series, I am trying to compile my learnings about Azure Virtual Network. In this post, let’s talk about network security groups and what are they used for.
What is it?
NSG is the abbreviation for Network Security Group. The NSG can be used for filtering traffic to and from the Azure resources within the virtual network.
Every NSG can have set of security rules. Each security rule can allow or deny the inbound traffic to the network or the outbound traffic from the network.
What is a rule ?
A Network Security Group contains 0 or more rules. Every rule has:
- Name – unique name within the NSG
- Priority – a number from 100 to 4096. Rules are processed in order of their priority, lower number priorities are processed before the higher numbers. Once a rule is matched, further rules are not evaluated and processing stops.
- Source or Destination – Any individual IP address or CIDR block, service tag or application security group
- Protocol – TCP, UDP, ICMP or any
- Direction – whether the rule applies to inbound traffic or outbound traffic
- Port Range – individual port (e.g. 80 ) or range of ports
- Action – can be allow or deny, depending on whether the access should be allowed or not.
Default Rules
When you create an instance of Network Security Group, Azure creates some default rules. Some of them are inbound rule and rest are outbound.
- AllowVNetInBound to allow traffic originated from the virtual network targeted for same virtual network
- AllowAzureLoadBalancerInBound to allow traffic from the Azure Load Balancer
- DenyAllInBound to deny all other inbound traffic
- AllowVNetOutBound to allow traffic originated from the virtual network targeted for same virtual network
- AllowInternetOutBound to allow traffic from virtual network to internet
- DenyAllOutBound to deny all other inbound traffic
These default rules cannot be deleted, but you can override them by creating rules with higher priorities.
I hope you found this information useful. Let me know your thoughts.
