Network Security Groups (NSGs) – A Complete Guide for SC-900
Why Are Network Security Groups (NSGs) Important?
Network Security Groups (NSGs) are a foundational component of network security in Microsoft Azure. They act as a virtual firewall that controls inbound and outbound traffic to Azure resources such as virtual machines (VMs), subnets, and network interfaces. Understanding NSGs is critical for the SC-900 exam because they directly relate to Microsoft's approach to defense in depth and the principle of least privilege at the network layer. Without NSGs, Azure resources would be exposed to unrestricted network traffic, creating significant security risks.
What Are Network Security Groups (NSGs)?
An NSG is an Azure resource that contains a collection of security rules that allow or deny inbound and outbound network traffic. Each rule is evaluated based on five key properties:
1. Name – A unique identifier for the rule within the NSG.
2. Priority – A number between 100 and 4096. Rules are processed in order of priority, with lower numbers being processed first. Once a matching rule is found, processing stops.
3. Source or Destination – Can be an IP address, IP address range, service tag, or application security group.
4. Protocol – TCP, UDP, ICMP, or Any.
5. Direction – Whether the rule applies to inbound or outbound traffic.
6. Action – Either Allow or Deny.
NSGs can be associated with:
- Subnets – Applying rules to all resources within that subnet.
- Network Interfaces (NICs) – Applying rules to a specific virtual machine's NIC.
A single NSG can be associated with multiple subnets and network interfaces, but each subnet or NIC can only have one NSG associated with it at a time.
How Do NSGs Work?
NSGs filter traffic using their defined security rules. Here is how the evaluation process works:
1. Default Rules:
Every NSG comes with a set of default rules that cannot be deleted but can be overridden by creating rules with higher priority (lower priority numbers). The default rules include:
- AllowVNetInBound – Allows all inbound traffic within the virtual network.
- AllowAzureLoadBalancerInBound – Allows inbound traffic from the Azure Load Balancer.
- DenyAllInBound – Denies all other inbound traffic (priority 65500).
- AllowVNetOutBound – Allows all outbound traffic within the virtual network.
- AllowInternetOutBound – Allows outbound traffic to the internet.
- DenyAllOutBound – Denies all other outbound traffic (priority 65500).
2. Rule Processing Order:
Rules are evaluated in priority order, starting with the lowest number. As soon as a rule matches the traffic, that rule's action (Allow or Deny) is applied, and no further rules are evaluated. This means a rule with priority 100 will be evaluated before a rule with priority 200.
3. Stateful Nature:
NSGs are stateful. This means if you allow inbound traffic on a specific port, the return (response) traffic is automatically allowed, regardless of outbound rules. You do not need to create a separate outbound rule for return traffic.
4. Subnet and NIC Level Filtering:
When an NSG is applied to both a subnet and a NIC, the traffic is evaluated by the subnet-level NSG first for inbound traffic, and then by the NIC-level NSG. For outbound traffic, the order is reversed: NIC-level NSG first, then subnet-level NSG. Traffic must be allowed by both NSGs to pass through.
5. Service Tags:
Instead of specifying individual IP addresses, you can use service tags such as Internet, VirtualNetwork, AzureLoadBalancer, and Storage to simplify rule management. Service tags are maintained and updated by Microsoft.
6. Application Security Groups (ASGs):
ASGs allow you to group virtual machines and define NSG rules based on those groups, rather than using explicit IP addresses. This simplifies rule management in complex environments.
Key Concepts to Remember for SC-900:
- NSGs operate at Layer 3 and Layer 4 of the OSI model (network and transport layers).
- NSGs do not inspect application-layer (Layer 7) content. For Layer 7 protection, Azure Web Application Firewall (WAF) or Azure Firewall is used.
- NSGs are free to use in Azure.
- NSGs are different from Azure Firewall. Azure Firewall is a managed, cloud-based network security service that provides more advanced features like threat intelligence-based filtering, FQDN filtering, and centralized policy management. NSGs provide basic network-level filtering.
- NSGs support augmented security rules, which allow you to combine multiple ports, multiple IP addresses, service tags, and ASGs into a single rule.
NSGs vs. Azure Firewall – Understanding the Difference:
This is a commonly tested concept on the SC-900 exam:
- NSGs: Basic, distributed network-level traffic filtering. Applied at the subnet or NIC level. Free. Operates at Layer 3/4.
- Azure Firewall: Centralized, fully stateful firewall as a service. Supports FQDN filtering, threat intelligence, Layer 7 filtering, and logging/analytics. It is a paid service.
Exam Tips: Answering Questions on Network Security Groups (NSGs)
1. Remember that NSGs are stateful. If a question asks whether you need to create a separate outbound rule for return traffic, the answer is no. NSGs automatically allow response traffic.
2. Know the default rules. Questions may ask what happens when an NSG is created with no custom rules. Remember that by default, all inbound traffic from the internet is denied, but traffic within the VNet is allowed. Outbound internet traffic is allowed by default.
3. Priority matters. Lower numbers = higher priority. If two rules conflict, the one with the lower priority number wins. This is a frequent trap in exam questions.
4. NSGs can be applied at two levels: subnet and NIC. If a question describes traffic being blocked despite an allow rule, check whether there is a conflicting rule at the other level. Traffic must pass through both NSGs.
5. NSGs are NOT Azure Firewall. If a question asks about FQDN filtering, threat intelligence-based filtering, or centralized network policy management, the answer is Azure Firewall, not NSGs.
6. NSGs operate at Layer 3/4 only. If a question mentions application-layer inspection or web application protection, think Azure WAF or Azure Firewall, not NSGs.
7. Service tags simplify management. If a question asks about the easiest way to allow traffic from Azure services without specifying IP addresses, the answer involves service tags.
8. Application Security Groups (ASGs) are used to group VMs logically. If a question asks about simplifying NSG rules for groups of VMs, think ASGs.
9. NSGs are free. If a question asks about a cost-effective way to filter network traffic at the subnet level, NSGs are the correct answer.
10. Default deny behavior: The default DenyAllInBound rule has a priority of 65500. Custom rules must have a priority lower than 65500 to take effect. You cannot delete default rules, but you can override them.
11. Watch for keywords in exam questions: Words like filter network traffic, allow or deny traffic, subnet-level security, and virtual firewall typically point to NSGs. Words like centralized firewall, FQDN filtering, and threat intelligence point to Azure Firewall.
By understanding these core concepts and exam strategies, you will be well-prepared to confidently answer any SC-900 question related to Network Security Groups.
