Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Network security groups

Network security groups (NSGs) are the Azure implementation of a firewall. They are simple, stateless access control lists (ACLs).

An NSG has a name and rules, where each rule consists of the following:

  • Name: A name for the rule.
  • Protocol: The protocol for which this rule applies. Can be either TCP, UDP, or * (where * is TCP, UDP and ICMP).
  • Source port range: The source port range for which this rule applies. Can be a single port (such as 2200), a range of ports (such as 2200-2299), or *.
  • Destination port range: The destination port range for which this rule applies. Can be a single port (such as 2200), a range of ports (such as 2200-2299), or *.
  • Source address prefix: The source address prefix for which this rule applies. Can be a single IP address (such as 10.0.10.10), a CIDR range (such as 10.0.10.0/24), a default tag, or *.
  • Destination address prefix: The destination address prefix for which this rule applies. Can be a single IP address (such as 10.0.10.10), a CIDR range (such as 10.0.10.0/24), a default tag, or *.
  • Direction: The direction in which this rule should match. Can be inbound or outbound.
  • Priority: The priority of the rule. Can be between 100 and 4096.
  • Access: What to do if the rule matches. Can be either allow or deny.
Azure provides some default tags, which can be used to represent address ranges in a way that is portable across virtual networks. The default tags are:
  • VIRTUAL_NETWORK: The address space of your virtual network. This address includes parts of the network that are reachable over the site-to-site VPN.
  • AZURE_LOADBALANCER: The address of the Azure infrastructure load balancer. This address is where health probes to your VM originate from.
  • INTERNET: Any address space that is outside your virtual network and accessible from the public Internet.

The rules in an NSG are processed in order of increasing priority. If a rule is matched, the associated access decision is made and rule processing stops. Give more specific rules a lower priority number so that they are processed first.

It is recommended that you jump the priority of each rule you add by 100, leaving some room to add intermediate rules at a later date. Each NSG has six pre-loaded rules, which provide some relatively secure defaults. These pre-loaded rules cannot be deleted, but are assigned a low priority so they can be overridden by adding rules at a higher priority. The pre-loaded rules are as follows:

Table 1. Pre-loaded rules
Name Priority Protocol Source Port Destination Port Source Address Destination Address Direction Access
ALLOW VNET INBOUND 65000 * * * VIRTUAL_NETWORK VIRTUAL_NETWORK inbound allow
ALLOW VNET OUTBOUND 65000 * * * VIRTUAL_NETWORK VIRTUAL_NETWORK outbound allow
ALLOW AZURE LOAD BALANCER INBOUND 65001 * * * AZURE_LOADBALANCER * inbound allow
ALLOW INTERNET OUTBOUND 65001 * * * * INTERNET outbound allow
DENY ALL INBOUND 65500 * * * * * inbound deny
DENY ALL OUTBOUND 65500 * * * * * outbound deny

An NSG can be associated with a subnet or a NIC. If an NSG is associated with a subnet, it applies to all resources present in that subnet. An NSG can be associated with multiple subnets or NICs (or both); however each subnet or NIC can be associated with only one NSG.