Azure for AWS professionals - Networking - Azure - 05 Creating rules in NSGs and assigning NSGs

@20aman    Oct 17, 2019

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

In the last post, we created a new Network Security Group or NSG. Now in this post, we will work with these NSGs and create some rules. We will also check how to assign these to a subnet (or network interface) in Azure.

There are two types of rules that you define in an NSG:

  1. Inbound Rules - these rules dictate what incoming traffic will be allowed.
  2. Outbound Rules - these rules determine what outgoing traffic will be allowed.

You define the source and destination for each rule along with the protocol and port information. For inbound traffic, the destination will be the associated subnet or network interface. Similarly, for the outbound traffic, the source will be the associate subnet or network interface.

The rules in an NSG has a priority number. Smaller the priority, the higher in the order it is and it will be executed first. When inbound or outbound traffic hits the NSG then the rules are evaluated in the order based on their priority. If a matching rule is found, then the subsequent rules are NOT evaluated. The traffic is either allowed or denied, as per what is defined in the matching rule.

Navigate to your Network Security Groups (NSGs) and check the overview screen. You will notice that there are default rules for both Inbound and Outbound rules. These allow connectivity between subnets within the same virtual network. You can update these as well, but the best practice is to overwrite these by writing another rule with higher priority. Note that a lower number means a higher priority.

NSG and Rules

Adding Inbound and Outbound Rules

You can add/update the Inbound and Outbound Rules from the settings. Since these two are very similar, we will only be looking at the Inbound security rules. These are more important as these dictate who can talk to the VM from the outside world( i.e. out of your virtual network).

Click on the "Inbound security rules" option under the Settings menu. Check all the default rules. To create a new rule, click on the "+Add" button.

Adding Inbound Security Rules

One Inbound rule consists of:

  1. Source (IP address in CIDR format) and it's port ranges
  2. Destination (IP address in CIDR format) and it's port ranges
  3. Protocol for the communication
  4. Action - this is either allow or deny and based upon this select the traffic will be either allowed or dropped
  5. Priority - a number depicting the priority of a rule in NSG. Lower this number, higher the priority of a rule
  6. Provide a name and description for the rule as well.
Inbound rule

For defining Source or Destination you have various template options that you can choose from. These include:

  1. Any
  2. IP Addresses
  3. Virtual Network
  4. Application security group

That's it! Hit create and the NSG rule is ready.


Assigning the NSGs

These NSGs can be assigned at two levels:

  1. Subnet level - At this level, all the inbound and outbound rules in the NSG are applied to all the Network Interfaces (i.e. VMs) inside the subnet.
  2. Network Interface level - At this level, the rules only apply to that particular network interface and other interfaces are not affected.

Simply navigate to either one of those as per your requirements. In the below screenshot, we are at the subnet level. Click on the "+Associate" button. In the popup select the virtual network and the subnet in it, with which you want to link this NSG. Hit Save to save these configurations.

Associating Subnets and Network interfaces

That's it! You are all set. Now you can control the traffic via NSGs and allow only the traffic that adheres to the standard at your organizations with utmost importance to security aspects.

Comments powered by Disqus