Network security groups (NSGs) control which network flows are permitted into and out of your virtual networks and virtual machines. Each NSG contains lists of inbound and outbound rules, which give you fine-grained control over exactly which network flows are allowed or denied. Combine this with the use of service and private endpoints, which provide connectivity to Azure PaaS services directly from your virtual network, and you have the tools that you need to configure secure, private connectivity from your VMs to Azure services.
A network security group (NSG) is a standalone Azure resource, which acts as a networking filter. Each NSG contains a list of security rules. These are used to allow or deny inbound or out- bound network traffic, depending on the properties of that traffic, such as protocol, IP address, and port. When you apply the NSG, it is associated with either a subnet or with a specific VM’s network interface.
NSG rules
NSG rules define which traffic flows are allowed or denied by the NSG. Table 4-4 describes the properties of an NSG rule.
TABLE 4-4 NSG properties
Property
Description
Constraints
Considerations
Name
The name of the rule.
Must be unique within the region. Must end with a letter, number, or underscore. Cannot exceed 80 characters.
You can have several rules within an NSG, so make sure you follow a naming convention that allows you to identify the purpose of each rule.
Protocol
The network protocol the rule applies to.
TCP, UDP, or *.
Using * as a protocol includes ICMP as well as TCP and UDP. In the Azure portal, select ‘Any’ instead of ‘*’.
Property
Description
Constraints
Considerations
Source port range(s)
Source port range(s) to match for the rule.
Single port number from 1 to 65535; a port range (exam- ple: 1–65535); a list of port or port ranges; or * (for all ports).
The source ports could be ephemeral, so unless your client program is using a specific port, use * in most cases. Try to reduce the number of rules by specifying multiple ports or port ranges in a single rule.
Destination port range
Destination port range(s) to match for the rule.
Single port number from 1 to 65535, port range (such as 1–65535), a list of port or port ranges, or * (for all ports).
Try to reduce the number of rules by specifying multiple ports or port ranges in a single rule.
Source address prefix(es)
Source address prefix(es) or service tag(s) to match for the rule.
Single IP address (such as 10.10.10.10), IP subnet (such as 192.168.1.0/24), a service tag, a list of the above, or * (for all addresses).
Consider using ranges, service tags, and lists to reduce the number of rules. The IP addresses of Azure VMs can also be specified implic- itly using application security groups.
Destination address prefix(es)
Destination address prefix(es) or service tag(s) to match for the rule.
Single IP address (such as 10.10.10.10); IP subnet (such as 192.168.1.0/24); a service tag; a list of the above; or * (for all addresses).
Consider using ranges, default tags, and lists to reduce the num- ber of rules. The IP addresses of Azure VMs can also be specified implicitly using application security groups.
Direction
Direction of traffic to match for the rule.
Inbound or outbound.
Inbound and outbound rules are processed separately, based on traffic direction.
Priority
Rules are checked in the order of priority. Once a matching rule is found, no more rules are tested.
Unique number between 100 and 4096. Uniqueness is only within this NSG.
Consider creating rules and jumping priorities by 100 for each rule to leave space for new rules you might create in the future.
Action
Type of action to apply if the rule matches.
Allow or deny.
Keep in mind that if an allow rule is not found for a packet, the packet is dropped.
