Introduction to Azure Network Security Groups (Azure NSG)

ad2
5/5 - (27 votes)

Do you know Microsoft Azure and other public clouds are transforming the way companies deploy and secure their distributed services? The reason is to instantly connect customers or apps to your service from anywhere in the globe, providing them with a scalable and highly available virtual networking infrastructure. These networks are the first line of protection against attacks, and they should only accept traffic from users, applications, or protocols that have been specifically approved. It can be challenging yet essential to keep these networks secure.

A management layer known as Azure Network Security Groups (NSG) allows managers to simply organize, filter, and route different types of network traffic, which is Microsoft’s solution to simplify virtual network security.

The topics covered in this blog are:

What is Azure NSG (Azure Network Security Groups)?

Microsoft’s Azure Network Security Groups is a fully managed service that helps refine traffic from and to Azure VNet. The Azure NSG is a set of security rules that users can enable or disable at their leisure. A five-tuple hash is used to evaluate these rules. The source port number, IP addresses, destination IP address and port number, and other variables are used in the 5-tuple hash. It operates on layers 3 and 4 of the OSI model and allows you to simply associate Network Security Groups with a VNet or VM network interface.

Azure nsg

How does Azure NSG (Network Security Groups) work?

Microsoft’s Azure Network Security Group (NSG) is an excellent option for protecting virtual networks. Administrators may easily arrange, filter, direct, and limit various network traffic flows with help of this tool. To establish Azure NSG, you can set different inbound and outgoing rules to allow or restrict specific types of traffic. If you plan to operate Azure Network Security Groups, you should create and configure individual rules.

You can establish any rules necessary depending on the situation, such as whether the traffic flowing over the network is safe and should be allowed or not.

How does Azure NSG work

Check Out: Our blog post on Azure Certification Path 2023

Azure Network Security Group Rules

You will be able to manage the individual rules of this NSG after it has been created. A rule determines whether network traffic is safe and should be allowed or rejected over the network.

A rule consists of the following elements:

  • Name: A unique name is required by the administrators for using to find the rule that should be easy.
  • Priority: This is an integer between 100 and 4096, which should be distinctive. The value will define the processing order of the rule, with rules having lower values (higher priority) being executed foremost.
  • Source or destination: It indicates which application or user(s) the rule is applicable for. It can be an IP Address, IP Address range, or Azure resource.
  • Protocol: The TCP, UDP, or ICMP protocol will be examined.
  • Direction: It demonstrates whether the traffic is inbound or outbound.
  • Port Range: This section will specify which port or range of ports the rule is applicable for.
  • Action: Setting either Allow (the traffic through) or Deny (and block the traffic) will determine the step to be taken by the NSG when network traffic matching the rule is identified.

When network traffic is allowed, a record is established to keep track of it. These records can be used by network traffic analytics tools for further threat assessment and analysis.

Also Check: ADF Interview Questions

How to Create an Azure Network Security Group

There’s a limitation to how many network security groups one can create for each Azure location and subscription. To know more about the same, go through Azure subscription and service limits, quotas, and constraints.

  1. On the Azure portal menu.
  2. Alternatively, from the Home page, choose to Create a resource.
  3. Now, select Networking.
  4. There you will find the Network security group, select it.
  5. Under the basic tab, in the create network security group page, set values for the following settings:
  6. Choose Review + create.
  7. After you notice the validation passed the message, select Create option.

How to Change an Azure Network Security Group

  1. Go to the Azure portal and now view your network security groups.
  2. Select Network security groups.
  3. Now, select the name of the network security group you would like to change. Some of the most common changes are:
  • To add a security rule,
  • Remove a rule,
  • And associate or dissociate an NSG to or from a subnet or network interface.

How to Delete an Azure Network Security Group

You cannot delete a network security group if it is linked to any subnets or network interfaces. Make sure to disconnect it from all subnets and network interfaces, Before attempting to delete a network security group.

  1. Go to the Azure portal.
  2. View your network security groups.
  3. Search for and select Network security groups.
  4. Select the name of the network security group you wish to delete.
  5. In the network security group’s toolbar, select the Delete option. Then choose the Yes option in the confirmation dialog box.

Also Read: What is Azure?

Azure Network Security Groups Best Practices

Here we are listing the top 5 best practices of Azure NSG.

1. NSG Flow Logging

A feature of Azure network watcher for NSGs is flow logging (Network interface logging level). Once enabled, the flow logs are sent to the storage account you specified during setup. The information in the flow log is displayed in JSON format. The output includes both entry and egress traffic, with flows shown a per basis rule.

2. NSG Rule Priority

Azure network security groups best practices include NSG rule priority. NSG rules are implemented in a priority order ranging from 100 to 4,096, with each additional rule being added progressively. Rules are examined at a granular level. Each rule is examined in order of priority. Once one rule matches the traffic, the remaining rules further are not examined.

If traffic matches rule 110, for example, traffic will be transmitted using this rule. It is something to think about if numerous rules are attempting to overlap.

3. One National Security Group to rule them all

Is it really necessary to have an NSG for each subnet? Or even, per VNET? No, you can aggregate one NSG across several NICs, Subnets, or even VNets in most circumstances.

The default number of rules in an NSG is 200, and with a support ticket raised, the maximum number of rules in an NSG is 1000. Multiples are not required unless you hit this maximum!

4. Naming convention

It may seem silly, but a correct naming convention from the outset can make the support process much easier! Azure NSGs best practices include giving each rule a suitable name, such as:

For example:

‘WebServerProduction-to-DatabaseProduction-SQLConnection,’ is not anything like ‘Rule35-SQL,’.

5) Consider your options before deploying (Group Rules & Ports)

Do you understand the rule’s scope? Do you know what rule set you’ll start with? Azure network security groups best practices include that instead of a series of sequential IPs, IP ranges should be used, together with ports in the following format:

IP range: 192.168.1.0/24 instead of 192.168.1.1, 192.168.1.2, and so on?

Instead of 80,81,82, why not 80-82?

Both of these ideas will reduce the total number of NSG regulations.

Conclusion

Azure network security groups are known for their capacity to help you manage network security faster and efficiently. While configuration may seem cumbersome at first, you can speed things up by using service tags and application security groups.

To assist in securing and defending your Microsoft cloud infrastructure, make sure NSG planning and management are addressed as part of your routine Azure operating procedures moving forward.

FAQs

Q1. What is an Azure Network Security Group (NSG)?

An Azure Network Security Group (NSG) is a networking feature that acts as a virtual firewall for controlling inbound and outbound traffic to Azure resources. It contains a set of security rules that allow or deny traffic based on specified criteria, such as source IP address, destination IP address, and port number.

Q2. What is the difference between NSG and ASG?

An NSG (Network Security Group) is a networking feature that controls traffic to and from Azure resources, whereas an ASG (Application Security Group) is a grouping construct that simplifies the management of NSG rules by allowing the grouping of multiple resources based on their application tiers or logical groupings.

Q3. What are the benefits of using Network Security Groups in Azure?

The benefits of using NSGs in Azure include enhanced network security, granular control over traffic flow, the ability to define custom security rules, the option to apply NSGs at the subnet or network interface level, and integration with Azure Security Center for threat detection and monitoring.

Q4. Is Azure NSG stateful or stateless?

Azure NSGs are stateful. This means that once a traffic flow is allowed or denied by a rule in the NSG, subsequent related traffic in the same flow is automatically permitted or blocked without needing explicit rules.

Q5. What is the difference between Azure Web Application Firewall (WAF) and NSG?

Azure Web Application Firewall (WAF) is a specific security service designed to protect web applications from common attacks, such as SQL injection and cross-site scripting. NSGs, on the other hand, are a general network security feature that provides traffic filtering at the network level for all types of resources. WAF focuses on web application-specific security, while NSGs offer broader network-level security controls.

Related/References

Sharing Is Caring:

Sonali Jain is a highly accomplished Microsoft Certified Trainer, with over 6 certifications to her name. With 4 years of experience at Microsoft, she brings a wealth of expertise and knowledge to her role. She is a dynamic and engaging presenter, always seeking new ways to connect with her audience and make complex concepts accessible to all.

ad2

Leave a Comment