Network Security Groups
Last updated:
AZURENETWORK
- Can be used to [[202404141404 Control traffic flows|control traffic flow]]
- [[202404141419 Network Security Groups|NSGs]] can be applied at the subnet or NIC level but are always enforced at the NIC
- so apply at subnet level, easier to manage
- each subnet can have max 1 [[202404141419 Network Security Groups|NSG]] assigned to it
- each NIC can have 0 or max 1 [[202404141419 Network Security Groups|NSG]] associated with it
Security Rules consist of:
- Source
- Destination
- Protocol
- Port
- Action
- Priority
- Lower priority number has higher priority
Source and destination
- can be CIDR
- can be service tags
- [[202407141403 Application Security Groups|ASG]] (Application Security Group) (Tags basically)
Default rules
VNet, Internet, etc are service tags.
Inbound
- AllowVNetInBound
- AllowAzureLoadBalancerInBound
- DenyAllInbound
Outbound
- AllowVnetOutBound
- AllowInternetOutBound
- DenyAllOutBound
How it works if both vnet and subnet have nsg
In terms of precedence. Whichever is the first thing traffic encounters. So,
Incoming
- Subnet wins
Outgoing
- VM NIC NSG wins
[[202407141419 Create NSG in Azure|Create NSG in Azure]]
references:
10 Backlinks
til
Azure Master
til
Azure VNet
til
Control traffic flows
til
Azure Service Endpoints and Service Endpoint Policies
til
Application Security Groups
til
Add rules to NSG in Azure
til
Public IP address allows inbound access based on tier in Azure
til
Azure Networking Basics
til
Azure Network Watcher
til