What is Azure Network Security Group?
Azure Network Security Groups (NSGs) are a feature of Azure Virtual Networks (VNets) that allow administrators to control inbound and outbound network traffic to and from Azure resources. NSGs are a key component of Azure's network security strategy and can be used to help secure your workloads and applications running in Azure.
NSGs are used to define access control lists (ACLs) that can be applied to one or more virtual machines or subnets within a VNet. It can be used to secure traffic within a VNet or between the VNets and the internet. They can also be used in conjunction with Azure Firewall, a managed firewall service that provides additional security capabilities such as application-level rules and threat intelligence. It can also be used in conjunction with Azure Virtual Network (VNet) Peering, which allows you to connect two or more Azure VNets together, and Azure ExpressRoute, which allows you to connect your on-premises infrastructure to Azure via a dedicated, private connection.
Create a NSG in Azure
Step 1: Log in to the Azure Portal (https://portal.azure.com/)
Step 2: In the azure global search bar, type "Network security group" and select it from the results.
Step 3: Now click on Create Network security group (NSG)
In the "Basics" tab, enter the following information:
- Subscription: Select the subscription you want to use.
- Resource group: Select an existing resource group or create a new one.
- Name: Enter a name for the NSG.
- Location: Select the region where you want the NSG to be created.
Step 4: Click on the "Review + create" button to review your settings.
Step 5: Click on the "Create" button to begin creating the NSG.
Once the NSG is created, you can add security rules to it by following configure NSG rules.
Configure NSG Rules
Step 1: Go to the "Network security groups" page in the Azure Portal
Step 2: Click on the NSG you just created.
Step 3: In the "Overview" tab, click on the "Add inbound rule" or "Add outbound rule" button.
Step 4: In the "Add inbound security rule" or "Add outbound security rule" pane, configure the settings for the rule:
- Name: Enter a name for the rule.
- Priority: Enter a priority number for the rule. Lower numbers have higher priority.
- Protocol: Select the protocol for the rule (TCP, UDP, or Any).
- Source: Select the source IP address or address range for the rule.
- Destination: Select the destination IP address or address range for the rule.
- Destination port: Select the destination port or port range for the rule.
- Action: Select the action to take when the rule is matched (Allow or Deny).
Step 5: Click on the "Add" button to create the rule.
Note: You can repeat steps 3-5 to add more rules to the NSG.
Check out some examples here:
Add an inbound network security group rule with destination port 3389 to allow RDP access.
- Name: AllowRDPInbound
- Port: 3389
- Protocol: TCP
- Source: Virtual Network
- Destination: Virtual Network
- Action: Allow
- Priority: 100
Add an inbound network security group rule with destination port 22 to allow SSH access:
- Name: AllowSSHInbound
- Port: 22
- Protocol: TCP
- Source: Virtual Network
- Destination: Virtual Network
- Action: Allow
- Priority: 200
Add an inbound network security group rule with destination port 443 to allow HTTPS access:
- Name: AllowPort443Inbound
- Port: 443
- Protocol: TCP
- Source: Virtual Network
- Destination: Virtual Network
- Action: Allow
- Priority: 300
Add an inbound network security group rule with destination port 80 to allow HTTP access:
- Name: AllowPort80Inbound
- Port: 80
- Protocol: TCP
- Source: Virtual Network
- Destination: Virtual Network
- Action: Allow
- Priority: 400
Add an inbound network security group rule to allow Azure Monitor access:
- Name: AllowAzureMonitorInbound
- Port: *
- Protocol: *
- Source: AzureMonitor
- Destination: Virtual Network
- Action: Allow
- Priority: 500
Deny all Inbound Access:
- Name: DenyAllInBound
- Port: *
- Protocol: *
- Source: *
- Destination: *
- Action: Deny
- Priority: 600
You can add many more inbound or outbound network security group rule to control and restrict the access of the services
Associate a NSG to a Subnet in Azure:
Step 1: Login to Azure Portal >> Navigate to Network Security Groups >> select your target NSG
Step 2: After selecting the NSG >> From page menu select Subnets >> Click on Associate.
That's it you are done assigning an NSG to a subnet in Azure Portal.