Network security groups
Network security groups (NSGs) are the Azure implementation of a firewall. They are simple, stateless access control lists (ACLs).
An NSG has a name and rules, where each rule consists of the following:
- Name: A name for the rule.
- Protocol: The protocol for which this rule applies. Can be either TCP, UDP, or * (where * is TCP, UDP and ICMP).
- Source port range: The source port range for which this rule applies. Can be a single port (such as 2200), a range of ports (such as 2200-2299), or *.
- Destination port range: The destination port range for which this rule applies. Can be a single port (such as 2200), a range of ports (such as 2200-2299), or *.
- Source address prefix: The source address prefix for which this rule applies. Can be a single IP address (such as 10.0.10.10), a CIDR range (such as 10.0.10.0/24), a default tag, or *.
- Destination address prefix: The destination address prefix for which this rule applies. Can be a single IP address (such as 10.0.10.10), a CIDR range (such as 10.0.10.0/24), a default tag, or *.
- Direction: The direction in which this rule should match. Can be inbound or outbound.
- Priority: The priority of the rule. Can be between 100 and 4096.
- Access: What to do if the rule matches. Can be either allow or deny.
- VIRTUAL_NETWORK: The address space of your virtual network. This address includes parts of the network that are reachable over the site-to-site VPN.
- AZURE_LOADBALANCER: The address of the Azure infrastructure load balancer. This address is where health probes to your VM originate from.
- INTERNET: Any address space that is outside your virtual network and accessible from the public Internet.
The rules in an NSG are processed in order of increasing priority. If a rule is matched, the associated access decision is made and rule processing stops. Give more specific rules a lower priority number so that they are processed first.
It is recommended that you jump the priority of each rule you add by 100, leaving some room to add intermediate rules at a later date. Each NSG has six pre-loaded rules, which provide some relatively secure defaults. These pre-loaded rules cannot be deleted, but are assigned a low priority so they can be overridden by adding rules at a higher priority. The pre-loaded rules are as follows:
Name | Priority | Protocol | Source Port | Destination Port | Source Address | Destination Address | Direction | Access |
---|---|---|---|---|---|---|---|---|
ALLOW VNET INBOUND | 65000 | * | * | * | VIRTUAL_NETWORK | VIRTUAL_NETWORK | inbound | allow |
ALLOW VNET OUTBOUND | 65000 | * | * | * | VIRTUAL_NETWORK | VIRTUAL_NETWORK | outbound | allow |
ALLOW AZURE LOAD BALANCER INBOUND | 65001 | * | * | * | AZURE_LOADBALANCER | * | inbound | allow |
ALLOW INTERNET OUTBOUND | 65001 | * | * | * | * | INTERNET | outbound | allow |
DENY ALL INBOUND | 65500 | * | * | * | * | * | inbound | deny |
DENY ALL OUTBOUND | 65500 | * | * | * | * | * | outbound | deny |
An NSG can be associated with a subnet or a NIC. If an NSG is associated with a subnet, it applies to all resources present in that subnet. An NSG can be associated with multiple subnets or NICs (or both); however each subnet or NIC can be associated with only one NSG.