Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
6.1.1. NSG Rules and Processing
Default Rules (cannot be deleted):
| Direction | Priority | Name | Action |
|---|---|---|---|
| Inbound | 65000 | AllowVnetInBound | Allow traffic from VNet |
| Inbound | 65001 | AllowAzureLoadBalancerInBound | Allow LB probes |
| Inbound | 65500 | DenyAllInBound | Deny all other |
| Outbound | 65000 | AllowVnetOutBound | Allow traffic to VNet |
| Outbound | 65001 | AllowInternetOutBound | Allow internet |
| Outbound | 65500 | DenyAllOutBound | Deny all other |
Rule Processing:
- Rules evaluated by priority (lower number = higher priority)
- First matching rule wins
- If no rule matches, default deny
Rule Components:
| Property | Purpose |
|---|---|
| Priority | 100-4096 (lower = higher priority) |
| Source/Destination | IP, CIDR, service tag, ASG |
| Protocol | TCP, UDP, ICMP, Any |
| Port | Single, range, or Any |
| Action | Allow or Deny |
Service Tags:
Service tags represent groups of IP prefixes managed by Microsoft:
| Tag | Represents |
|---|---|
| VirtualNetwork | VNet space + peered VNets + on-premises |
| Internet | All public IPs |
| AzureLoadBalancer | Azure LB health probes |
| Storage | Azure Storage (region-specific available) |
| Sql | Azure SQL Database |
NSG Association:
| Level | Scope | Best Practice |
|---|---|---|
| Subnet | All NICs in subnet | Broad rules, standard policies |
| NIC | Single VM | Specific rules, sensitive workloads |
⚠️ Exam Trap: Both subnet and NIC NSGs are evaluated. Traffic must be allowed by BOTH (most restrictive wins).
Written byAlvin Varughese
Founder•15 professional certifications