Role of Network Security Groups (NSGs) in Azure

Table of Contents

Introduction

Network Security Groups (NSGs) are a key security feature in Microsoft Azure that helps control network traffic to and from Azure resources.
They act as virtual firewalls, allowing or denying traffic based on defined security rules.
NSGs provide a simple, scalable, and efficient way to protect Azure workloads from unauthorized access and potential threats.

What is a Network Security Group (NSG)?

✔ A Network Security Group (NSG) is a set of security rules that control inbound and outbound traffic in an Azure Virtual Network (VNet).
✔ NSGs help enforce network security policies by allowing or blocking traffic based on:

Source & Destination IP addresses
Protocol (TCP, UDP, ICMP, etc.)
Port Numbers (e.g., HTTP – 80, HTTPS – 443, SSH – 22)
✔ NSGs work at two levels:
Subnet Level – Controls traffic to all resources in a subnet.
Network Interface Level (NIC) – Controls traffic to a specific virtual machine (VM).

Key Features of Network Security Groups (NSGs)

1. Inbound and Outbound Security Rules

✔ NSGs allow you to define rules for incoming (inbound) and outgoing (outbound) traffic.
✔ Example:

Allow HTTP traffic (port 80) from the internet.
Block RDP (Remote Desktop Protocol) access from unknown IPs.

2. Stateful Traffic Filtering

✔ NSGs are stateful, meaning if inbound traffic is allowed, the corresponding outbound response is also allowed automatically.
✔ Example:

If you allow an SSH connection (port 22) to a VM, the outgoing response does not need an explicit rule.

3. Rule-Based Access Control

✔ Each rule consists of:

Priority (lower numbers have higher priority).
Source and Destination (IP address, subnet, or service).
Protocol (TCP, UDP, or Any).
Port Range (Specific port numbers or range).
Action (Allow or Deny).

4. Default Security Rules

✔ Azure NSGs have built-in security rules to prevent accidental misconfiguration.
✔ Example default rules:

Allow VNet-to-VNet traffic within a Virtual Network.
Allow Outbound Internet access for Azure VMs.
Deny all inbound traffic from external networks by default.

5. NSGs Can Be Applied to Subnets and NICs

✔ Applying an NSG at the subnet level affects all resources inside that subnet.
✔ Applying an NSG at the NIC level provides granular security for individual virtual machines.

How Network Security Groups Work?

✔ Step 1: Define NSG rules with specific priorities and conditions.
✔ Step 2: Associate NSG with a subnet or network interface (NIC).
✔ Step 3: NSG filters incoming and outgoing traffic based on defined rules.
✔ Step 4: Logs and monitoring tools track traffic activity and security rule enforcement.

Use Cases of Network Security Groups (NSGs)

1. Secure Web Applications

✔ Allow HTTP (80) and HTTPS (443) traffic from the internet.
✔ Block unwanted ports like FTP (21) or Telnet (23) to prevent attacks.

2. Restrict Access to Databases

✔ Allow only application servers to connect to databases.
✔ Deny direct database access from the internet.

3. Isolate Virtual Machines in a VNet

✔ Separate development, testing, and production environments.
✔ Block traffic between different VNets unless necessary.

4. Secure Remote Access

✔ Allow only trusted IPs to access virtual machines via RDP (3389) or SSH (22).

5. Protect Hybrid Cloud Deployments

✔ Control traffic between on-premises networks and Azure Virtual Networks.

Best Practices for Using Network Security Groups

✔ Apply NSGs at the Subnet Level for Better Management.
✔ Use Specific IP Ranges Instead of “Any” to Reduce Risk.
✔ Minimize “Allow All” Rules to Avoid Security Gaps.
✔ Use NSG Flow Logs to Monitor Suspicious Traffic.
✔ Regularly Review and Update NSG Rules to Match Security Policies.

Quiz

What is the main purpose of a Network Security Group (NSG)?
A) Encrypt network traffic
B) Control inbound and outbound traffic based on rules
C) Provide cloud storage
D) Increase internet speed
E) Manage user authentication
Which of the following best describes how NSG rules work?
A) NSG rules are randomly applied
B) NSG rules work on a priority system (lower number = higher priority)
C) NSGs can only block traffic, not allow it
D) NSGs can only be applied at the subnet level
E) NSG rules do not support TCP and UDP protocols
What happens when an NSG allows inbound HTTP traffic (port 80) to a VM?
A) Outbound response traffic is automatically allowed
B) Outbound traffic is blocked
C) Only internal network traffic is allowed
D) The rule only applies for 1 hour
E) The VM becomes publicly accessible without restrictions
What is the default behavior of NSGs for incoming traffic?
A) All inbound traffic is allowed
B) All inbound traffic is denied by default
C) Only HTTP and HTTPS traffic is allowed
D) SSH and RDP traffic are always open
E) Outbound internet access is blocked
Where can NSGs be applied?
A) Only at the virtual network level
B) At both subnet and network interface (NIC) levels
C) Only to individual virtual machines
D) Only to databases
E) Only for outbound traffic

Answers and Explanations

B – Control inbound and outbound traffic based on rules
- ❌ Wrong answers: NSGs do not encrypt traffic (A), provide storage (C), increase internet speed (D), or manage authentication (E).
B – NSG rules work on a priority system (lower number = higher priority)
- ❌ Wrong answers: Rules are not random (A), NSGs can both allow and block traffic (C), and can be applied at both subnet and NIC levels (D).
A – Outbound response traffic is automatically allowed
- ❌ Wrong answers: NSGs are stateful, meaning if inbound traffic is allowed, the response is also allowed automatically (B, C, D, E are incorrect).
B – All inbound traffic is denied by default
- ❌ Wrong answers: By default, inbound traffic is blocked unless specifically allowed (A, C, D are incorrect).
B – At both subnet and network interface (NIC) levels
- ❌ Wrong answers: NSGs do not apply to entire VNets, individual VMs, or databases (A, C, D, E are incorrect).

Post Views: 72

On February 12, 2025 By Luxmi Narayan

AZ-900 Study Guide