Configuring Network Security Groups in Azure


What are Network Security Groups (NSGs)?

Network Security Groups (NSGs) are a crucial feature in Microsoft Azure that allow you to control inbound and outbound traffic to network interfaces, virtual machines, and subnets. NSGs provide a flexible and powerful way to secure your Azure resources by defining rules for network traffic filtering.


Key Concepts and Features

Network Security Groups come with several key concepts and features:

  • Inbound and Outbound Rules: NSGs include rules to control incoming and outgoing traffic based on various criteria, such as source and destination IP addresses, ports, and protocols.
  • Default Rules: By default, NSGs include default rules that allow outbound traffic but deny all incoming traffic. You can add custom rules to override these defaults.
  • Associating with Resources: NSGs can be associated with network interfaces, virtual machines, or subnets to apply the defined rules to specific resources or parts of your network.
  • Prioritization: Rules in an NSG are evaluated based on their priority, with lower numbers indicating higher priority. When a rule matches traffic, further rule evaluation is stopped.
  • Logging: NSGs can be configured to log traffic that matches specific rules, providing visibility into network traffic and potential security threats.

Configuring Network Security Groups

To configure NSGs in Azure, follow these steps:

  1. Sign in to your Azure Portal.
  2. Navigate to the "Create a resource" section and search for "Network Security Group."
  3. Create a new NSG and define your inbound and outbound security rules, specifying source and destination IP addresses, ports, and protocols.
  4. Associate the NSG with the desired network interfaces, virtual machines, or subnets to apply the rules.
  5. Review and save your NSG configuration.

Sample Code

Here's a simple example of how to create an NSG with inbound and outbound security rules using Azure PowerShell:

# Define variables
$rgName = "MyResourceGroup"
$nsgName = "MyNSG"
$location = "East US"
# Create a new Network Security Group
$myNSG = New-AzNetworkSecurityGroup -ResourceGroupName $rgName -Name $nsgName -Location $location
# Define an inbound security rule
$inboundRule = New-AzNetworkSecurityRuleConfig -Name "Allow-HTTP" -Description "Allow HTTP traffic" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix "Internet" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange 80
# Define an outbound security rule
$outboundRule = New-AzNetworkSecurityRuleConfig -Name "Allow-Outbound" -Description "Allow outbound traffic" -Access Allow -Protocol "*" -Direction Outbound -Priority 100 -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "*"
# Add the rules to the NSG
$myNSG | Set-AzNetworkSecurityRuleConfig -NetworkSecurityRule $inboundRule, $outboundRule
$myNSG | Set-AzNetworkSecurityGroup

Conclusion

Network Security Groups in Azure are a vital tool for controlling and securing network traffic to your Azure resources. By defining and configuring NSGs with the right rules, you can protect your resources from unauthorized access and potential security threats.