• Articles
  • Tutorials
  • Interview Questions

What is Azure Network Security Group(NSGs)?

What is Azure Network Security Group(NSGs)?

Every second, billions of bits of data traverse the internet, transforming it into a global village for easy access and rapid transfer of information across multiple interconnected networks (both public and private networks).

As a result, it is getting more and harder to monitor, manage, and regulate different kinds of internet traffic. With this rapid growth, establishing smooth communication between network devices has become an impossibility.

As a result, network devices are more in demand, network design is more intricate, and it costs more money to ensure seamless communication between networks and their respective endpoints.

The Topics Covered in this blog are:

Check out this video on Azure Full Course 2023

Video Thumbnail

What is Azure?

Azure is a cloud computing platform and an online portal that enables you to use and organize Microsoft’s cloud services and resources. These services and resources include collecting and converting your data based on your needs. All you need to access these resources and services is an active internet connection and the ability to connect to the Azure portal.

Did you know that Microsoft Azure and other public clouds are changing the way businesses deploy and secure distributed services? The reason for this is to instantly connect customers or apps from anywhere in the world to your service, providing them with a scalable and highly available virtual networking infrastructure. These networks are the first line of defense against attacks, and they should only accept traffic from specifically approved users, applications, or protocols. Keeping these networks secure can be difficult, but it is critical.

What is Azure Network Security Group?

An Azure network security group is nothing more than a set of access control rules that may be used to secure a subnet or a virtual network; these rules examine incoming and outgoing traffic to determine whether to accept or reject a package.

The VM-level Network security group and the subnet-level Network security group are the two levels that make up Azure network security.

  • Microsoft’s completely managed solution, Azure Network Security Groups, helps to sift traffic to and from Azure VNet.
  • Any number of security rules that make up the Azure NSG can be enabled or disabled by users.
  • A five-tuple hash is used to assess these rules’ effectiveness.
  • The 5-tuple hash uses the destination IP address and port number, source port number, IP addresses, as well as other factors.
  • You can quickly link Network Security Groups with a VNet or VM network interface thanks to its OSI layer 3 and layer 4 functionality.

Azure Network Security-How it works?

  • A great choice for safeguarding virtual networks is Microsoft’s Azure Network Security Group (NSG).
  • Using this application, network administrators may quickly organize, filter, direct, and regulate different network traffic flows.
  • When building Azure NSG, you can configure various incoming and outgoing rules to permit or disallow particular types of traffic.
  • If you want to use Azure Network Security Groups, you should build and configure individual rules.
Azure Network Security-How it works
  • Multiple Azure services’ resources may be included in an Azure virtual network.
  • The full list is available under Services that may be put into a virtual network.
  • There can be zero or one network security group configured to each virtual network subnet and network interface in a virtual machine.
  • As many subnets and network interfaces as you like can be connected to the same network security group.

Depending on the circumstances, you can establish whatever rules you like, such as whether the traffic traversing the network is secure and ought to be permitted.

Cloud Computing IITM Pravartak

How to Create a Network Security Group in Azure?

Follow this Process to Create a  Network Security Group in Azure:

How to Create a Network Security Group in Azure
  • At the top of the Azure interface.
  • You may also choose Create a resource from the Home page.
  • Now select Networking.
  • Select the Network security group from the drop-down menu.
  • Enter values for the following options in the basic tab of the Create Network Security Group page by selecting Review + create.
  • Select the Create option once you see that the message has passed validation.
How to Create a Network Security Group in Azure

For every Azure location and subscription, a certain number of network security groups can be established. Azure subscription and service limitations, quotas, and restrictions are where you may get further details.

Azure Network Security Group Rules

  • Allow Vnet InBound – This rule allows all hosts within the virtual network (including subnets) to communicate without being blocked.
  • Allow Azure LoadBalancer InBound – This rule permits an Azure load balancer to communicate with your virtual machine and send heartbeats.
  • Deny All InBound – This is the deny-all rule, which by default blocks all inbound traffic to the VM and protects it from malicious access outside the Azure Vnet.

Get 100% Hike!

Master Most in Demand Skills Now!

Azure Network Security Group Best Practices

Azure Network Security Group Best Practices
  • NSG Flow Logging: A function known as flow logging(Network interface logging level) is available in the Azure network observer for NSGs.
  • Logs are transferred to the storage server you specified during setup as soon as flow logging is activated.
  • The flow log’s data is shown in JSON format.
  • The result demonstrates flow for both incoming and departing data on a per-basis-rule basis.
  • NSG Rule Priority: One of the ideal techniques for Azure network security groups is to prioritize NSG rules.
  • Each additional rule is introduced gradually, with the NSG rules being applied in a priority sequence from 100 to 4,097.
  • At the micro level, rules are evaluted.
  • In order of importance, each rule is looked at. The other rules are not further reviewed when the first rule fits the traffic.
  • Traffic that complies with rule 115, for instance, will be forwarded under this rule. If many rules are attempting to overlap, it is something to take into account.
  • Naming convention: A correct naming convention from the beginning may greatly simplify the support process, despite the fact that it can seem foolish.
  • The name of each rule should follow the best standards for Azure NSGs, such as:
  • In contrast to “Rule36-SQL,” “WebServerProduction-to-DatabaseProduction-SQLConnection” is not the same thing.
  • Consider your options before deploying (Group Rules & Ports): Do you comprehend the parameters of the rule? Do you already have a plan for your initial rule set?
  • Use of IP ranges rather than a list of consecutive IP addresses and the following structure for ports are recommended for Azure network security groups:

182.164.1.0/26 as opposed to 182.164.1.1, 182.164.1.2, and so on?

Why not 70-72 instead of 70,71,72?

Both of these suggestions would reduce the overall number of NSG regulations.

  • One National Security Group to rule them all: Is it required to have an NSG for every subnet? by VNET, even?
  • Most of the time, you may combine one NSG over several NICs, Subnets, or even VNets.
  • An NSG can have a maximum of 1000 rules and a default of 100 rules when a support request is present. Multiples are not necessary if you don’t go above this limit!

Conclusion

Network security groups in Azure are widely recognized for helping you manage network security more quickly and effectively. Service tags and application security groups can assist, even if setting initially can seem time-consuming.

Make NSG planning and management a part of your routine Azure operating processes going forward to help with the security and protection of your Microsoft cloud infrastructure.

Course Schedule

Name Date Details
Azure Training 14 Dec 2024(Sat-Sun) Weekend Batch View Details
21 Dec 2024(Sat-Sun) Weekend Batch
28 Dec 2024(Sat-Sun) Weekend Batch

About the Author

Senior Cloud Computing Associate

Rupinder is a distinguished Cloud Computing & DevOps associate with architect-level AWS, Azure, and GCP certifications. He has extensive experience in Cloud Architecture, Deployment and optimization, Cloud Security, and more. He advocates for knowledge sharing and in his free time trains and mentors working professionals who are interested in the Cloud & DevOps domain.