Network Security Groups (NSGs)

• NSGs contain sets of rules that allow or deny specific traffic to specific resources or subnets in Azure

• NSG can be associated to a Network Interface (NIC) or subnet

• Lets create a simple nsg

• NSG has set of rules, Each rule has a priority. Rules with higher priority have lower priority number (Lower the Priority number higher will be its priority)

• Every rule has

  • priority (lower the number higher the priority): Range is between 100 and 4096
  • source: For inbound source is where the network packet is arriving from. Azure gives options for
    • Any (Anywhere)
    • IpAddress (Specific IP Ranges)
    • Service Tag
    • Application Security Group
  • source port range: From which port is the traffic generated on source
  • Destination: Where the network packet is travelling
  • Destination Port Ranges: Port on which the network packet is reaching
  • Protocol:
    • TCP
    • UDP
    • ICMP
  • Action: Allow /Deny
  • Name:
  • Description

• Lets try to write a rule which allows http and ssh communications from internet, all communication with vnet are allowed rest are denied

• Now lets attach this to web subnet

• Now lets create a nsg for app subnet which allows communication only from web subnet for incoming.

• While creating the vm the nsg gets created and associates with network interface.

• Exercise: Create a vnet as mentioned in the below architecture

  • Diagram
  • Web Subnet, Management should be accessible from any where (including internet) => Create an NSG
  • Business subnet should be accesible to Web & Mgmt
  • Data subnet should be accessible to Business & Mgmt
  • AD subnet should be accessible to all other subnets not internet