Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.1.1.2. Configure Network Security Groups (NSGs)

💡 First Principle: Network Security Groups act as a fundamental, stateful firewall for controlling network traffic to and from Azure resources, enabling granular security at both the subnet and network interface levels.

Scenario: You have a web server VM and a database VM in separate subnets within the same Virtual Network. The web server needs to receive HTTP/HTTPS traffic from the internet and communicate with the database VM on port 1433. The database VM should only accept traffic from the web server subnet on port 1433 and have no inbound internet access.

What It Is: An NSG is a list of security rules that allow or deny inbound or outbound network traffic to, or from, Azure resources.

NSG Rule Components:
  • Priority: Each rule has a priority number (100-4096); rules are processed in ascending order.
  • Source/Destination: Define where traffic originates and where it’s headed using IPs, CIDR blocks, service tags, or Application Security Groups (ASGs).
  • Port Range: Specify individual ports or ranges.
  • Protocol: Choose TCP, UDP, ICMP, or Any.
  • Action: Allow or Deny.
  • Direction: Rules apply to Inbound or Outbound traffic.

Default Security Rules: NSGs include built-in rules (e.g., AllowVNetInBound, DenyAllInbound) that can be overridden by higher-priority custom rules.

Application Scope: NSGs can be assigned to subnets or directly to NICs.

Visual: NSG Rule Evaluation Flow
Loading diagram...

⚠️ Common Pitfall: Creating overly complex NSG rules with conflicting priorities, making it difficult to troubleshoot connectivity issues.

Key Trade-Offs:
  • Granularity (NIC-level) vs. Broad Control (Subnet-level): NIC-level NSGs provide fine-grained control for specific VMs. Subnet-level NSGs provide broader, more manageable control for groups of resources. A combination of both provides defense-in-depth.

Reflection Question: How do Network Security Groups (NSGs), through their customizable rules and application scope (subnet/NIC), fundamentally enable precise control over network traffic flow, minimizing exposure and risk by only permitting necessary communication to Azure resources?