Azure NSG Basics: Setup and Configuration

Azure NSGs are like virtual firewalls for your cloud environment. They control inbound and outbound traffic in your Azure virtual network by using rules based on:

• Source and destination IPs
• Source and destination ports
• Protocols (e.g., TCP, UDP)

Why Should You Care?

• Protect Your Resources: Block or allow traffic to secure your cloud setup.
• Cost-Effective Security: Ideal for small and medium-sized businesses (SMBs) to manage network zones without heavy infrastructure costs.
• Scalable: Each NSG supports up to 1,000 rules, with 5,000 NSGs allowed per subscription.

Key Features of NSGs

• Stateful Inspection: Automatically allows outbound responses to inbound traffic.
• Flexible Associations: Apply NSGs to subnets or individual network interfaces.
• Default and Custom Rules: Start with built-in rules, then add custom ones for specific needs.

Quick Setup Overview

1. Prerequisites:
   • Azure subscription
   • Azure CLI or PowerShell installed
   • Network Contributor role permissions
2. Create an NSG:
   • Use the Azure portal, PowerShell, or CLI to create an NSG.
   • Name your NSG clearly (e.g., web-tier-nsg).
3. Associate NSG:
   • Link to a subnet (applies to all resources within) or a specific network interface (precise control).
4. Add Rules:
   • Define traffic rules with priorities, protocols, and port ranges.

Best Practices

• Use clear rule names and leave gaps in priority numbers for flexibility.
• Rely on service tags (e.g., "Internet") to simplify rule creation.
• Regularly audit rules to remove redundancies and tighten security.
• Avoid direct RDP/SSH access; use Azure Bastion or VPN.

Monitoring and Troubleshooting

• Enable NSG flow logs to track traffic patterns.
• Use Azure Network Watcher for diagnosing connection issues.
• Optimise rules to avoid conflicts and ensure smooth operations.

Quick Comparison of NSG Placement Scenarios

Takeaway: Azure NSGs are essential for securing your virtual network. Plan carefully, configure thoughtfully, and monitor consistently for best results.

Prerequisites and Planning for NSG Setup

Technical Requirements

Before diving into the setup of Network Security Groups (NSGs), make sure you have the essentials in place. First, you'll need an Azure account with an active subscription, and you'll need to log in to the Azure portal using your account credentials.

You'll also need to install either Azure PowerShell (v1.0.0 or later) or Azure CLI (v2.0.28 or later).

To configure NSGs, you must have the Network Contributor role assigned at the subscription level. Alternatively, you can create a custom role with the following permissions:

• Microsoft.Network/locations/serviceTags/read
• Microsoft.Network/locations/serviceTagDetails/read
• Microsoft.Network/networkSecurityGroups/read
• Microsoft.Network/networkSecurityGroups/write
• Microsoft.Network/networkSecurityGroups/join/action.

Lastly, ensure you have an existing virtual network or subnet ready, as NSGs need to be deployed within these environments.

Planning NSG Deployment

Once the technical prerequisites are sorted, it’s time to plan your NSG deployment. Proper planning ensures your setup aligns with your network's architecture and security needs, helping to avoid overlapping rules, exposed virtual machines, or unnecessary administrative complexity. Start by thoroughly understanding your network structure and security goals before creating any rules.

Network segmentation is a critical aspect of NSG planning. For example, adopting an N-tier architecture allows you to divide virtual networks into subnets based on factors like security, application, or environment needs. Subnets naturally create security boundaries, making it easier to associate NSGs logically.

Your placement strategy also plays a big role in how secure and manageable your setup will be. NSGs can be associated with virtual machines, network interfaces, or subnets within a virtual network. For simplicity and efficiency, consider aligning NSGs with resource groups or specific services.

Naming conventions are another essential part of the planning phase. Use clear, descriptive names for your NSGs to make their purpose and scope immediately obvious. This is especially helpful when managing multiple NSGs across various environments.

When planning IP address ranges, think strategically. Instead of using individual IP addresses, opt for IP ranges to reduce the number of rules you need to manage. Subdivide larger address spaces into subnets using CIDR-based subnetting to maintain organisation and enhance security.

Rule priority is another key area to plan carefully. Leave enough gaps between priority numbers when creating rules. This allows room to add new rules later without needing to renumber existing ones, saving time and effort.

Lastly, take into account compliance requirements, particularly those related to UK data protection regulations. While NSGs can help demonstrate strong network security controls, it's essential to document your security boundaries and access controls to meet regulatory standards effectively.

Creating and Associating an NSG

How to Create an NSG in Azure

To get started, log in to the Azure Portal and search for "Network Security Group" in the search bar. This will take you to the NSG management page, where you can view existing NSGs or create a new one. Click on "Create" to begin setting up your NSG.

You'll need to provide some key details, including the subscription, an existing or new resource group, and the region where your virtual networks are located. Choose a name for your NSG that clearly describes its function, keeping it concise (up to 80 characters) and ensuring it starts and ends with a word character. For example, names like "web-tier-nsg" or "database_subnet_nsg" work well to reflect their purpose.

After entering all the required information, click "Review + Create" to validate your settings and deploy the NSG. Once the deployment is complete, select "Go to resource" to access the newly created NSG and start configuring its security rules. For step-by-step instructions, you can refer to the official Azure portal documentation.

Once the NSG is ready, the next step is to associate it with your resources to enforce its security policies.

Associating NSGs with Subnets or Network Interfaces

To enforce security rules, you need to associate your NSG with either a subnet or a network interface. This is a critical step to ensure the NSG functions as intended.

• Subnet Association: When an NSG is linked to a subnet, its rules apply to all resources within that subnet, creating a uniform security policy.
• Network Interface Association: Associating an NSG with a network interface provides more precise control, as the rules will apply only to that specific resource.

To associate an NSG with a subnet via the Azure portal, go to the "Subnets" section of your NSG, click "+ Associate", select the appropriate virtual network and subnet, and confirm your selection. If you ever need to remove the association, revisit the "Subnets" section, choose the relevant entry, and dissociate it.

Keep in mind the order in which rules are processed. For inbound traffic, rules from an NSG linked to a subnet are applied first, followed by those from an NSG linked to a network interface. For outbound traffic, this order is reversed.

Understanding Default Rules

Every NSG comes preconfigured with a set of default rules that establish baseline security. While these rules can be overridden with custom ones, they provide a starting point for your security setup.

Here’s a breakdown of the default rules:

• Inbound Rules:
  • Allow traffic within the virtual network (priority 65000).
  • Permit traffic from Azure's load balancer (priority 65001).
  • Deny all other inbound traffic (priority 65500).
• Outbound Rules:
  • Allow traffic within the virtual network (priority 65000).
  • Permit outbound internet traffic (priority 65001).
  • Deny all other outbound traffic (priority 65500).

For better security, limit access to only trusted public IP addresses or systems. Alternatively, you can use Azure Bastion to eliminate the need for direct inbound access. If no NSG is associated with a subnet or network interface, Azure defaults to blocking all inbound traffic and allowing all outbound traffic.

To further enhance security in production environments, consider implementing a NAT gateway for controlled outbound connectivity and Azure PrivateLink for secure access to other Azure resources.

Azure Network Security Groups (NSG) Step-by-Step Tutorial

Configuring Security Rules in NSGs

Once your Network Security Group (NSG) is set up and linked to your resources, the next step is to configure the security rules that will manage traffic flow. These rules are essential for small and medium-sized businesses (SMBs) aiming to maintain strong security without unnecessary complexity. They define which traffic is allowed or blocked, making them a cornerstone of NSG management.

Adding and Modifying Security Rules

To add or adjust rules, go to your NSG and choose either 'Inbound' or 'Outbound' rules. Click on the '+ Add' button to create a new rule. Assign a priority between 100 and 4,096, as rules are processed in ascending order of priority until a match is found.

When assigning priorities, leave gaps between numbers. For instance, instead of 100, 101, 102, consider using 100, 200, 300. This approach gives you room to add new rules later without renumbering existing ones.

Naming your rules descriptively is another best practice. Avoid generic names like "Rule1" or "WebRule". Instead, opt for names that clarify the rule's purpose, such as "Allow-HTTP-from-Internet" or "Block-SSH-from-External". This makes it easier for administrators to understand and manage the rules.

You can create rules via the Azure portal, PowerShell, or Azure CLI. For SMBs new to NSGs, the Azure portal is often the easiest to use. However, PowerShell and CLI tools are great for automating rule creation, especially when managing multiple NSGs.

Once a rule is created, review its components to ensure it’s configured accurately.

Understanding Rule Components

Each security rule includes several elements that work together to determine how traffic is handled. Familiarity with these components is key to building effective security policies.

For the source and destination fields, you can specify "Any" for unrestricted traffic, a single IP address, a range using CIDR notation (like 10.0.0.0/16), or use service tags. Service tags simplify rule creation by grouping IP addresses under labels like 'Internet', which covers all public IP ranges.

The protocol field lets you target specific types of traffic, such as TCP for web services or UDP for DNS queries. Selecting "Any" applies the rule to all protocols. Similarly, the port range allows you to focus on individual ports (like 443 for HTTPS) or a range of ports.

The action setting determines whether traffic matching the rule is permitted or blocked. A common best practice is to start by blocking all traffic and then explicitly allow only what is necessary.

Limitations of NSG Rules

While configuring security rules, it’s important to keep in mind the limitations of NSGs to ensure scalability. Each NSG can hold up to 1,000 rules, and an Azure subscription supports a maximum of 5,000 NSGs. For most SMBs, these limits are sufficient, but they become crucial as your infrastructure grows.

You cannot have two rules with the same priority and direction in a single NSG. Additionally, NSG rules only affect new connections; existing connections continue to follow the rules that were in place when they were established.

Another important consideration: rule processing stops at the first match. For example, if you have a broad "allow all" rule with a low priority number, any more specific "deny" rules with higher priority numbers will be ignored. To simplify rule management for multiple applications or services, consider using Application Security Groups (ASGs). ASGs let you group resources logically and create rules for the group rather than individual IP addresses, making your setup easier to maintain as your infrastructure grows.

While these limitations are unlikely to hinder SMB deployments, understanding them ensures you can design a security framework that scales with your business needs.

Monitoring, Troubleshooting, and Best Practices

Once your NSG setup is in place, keeping a close eye on its activity becomes essential. Regular monitoring not only ensures your network stays secure but also helps small and medium-sized businesses (SMBs) stay compliant with security standards while catching potential threats early.

Monitoring NSG Activity

NSG flow logs are your go-to resource for tracking network traffic. These logs provide detailed information about Layer 4 IP traffic, including 5-tuple data, decisions, and throughput, all recorded at one-minute intervals.

To enable NSG flow logs, head over to the monitoring section of your NSG in the Azure portal and select "NSG flow logs." You’ll need to link a storage account to save the logs. Make sure the storage capacity aligns with the expected volume of logs. While there’s a free tier offering 5 GB per month per subscription, any usage beyond that is billed per gigabyte.

Keep in mind that NSG flow logs will no longer be supported after 30th September 2027, and new logs can’t be created post-30th June 2025. Microsoft advises transitioning to virtual network flow logs, which come with improved features. Tools like Network Watcher traffic analytics, Splunk, Grafana, or Graylog can help you export and visualise these logs. Additionally, the NSG diagnostics tool within Azure Network Watcher can provide a clear view of which traffic is being allowed or blocked, making troubleshooting more straightforward.

Troubleshooting Common Issues

When things go wrong, issues like blocked traffic, connectivity problems, or rule conflicts are often to blame. Azure diagnostic tools can be a big help in pinpointing the root cause.

Blocked traffic is frequently caused by overly restrictive rules or incorrect priorities. Check that your NSG is linked to the correct network interface or subnet and ensure the source IP is set up properly, especially if traffic is coming from multiple sources.

For connectivity problems, Azure Network Watcher’s IP flow verify tool is invaluable. It simulates traffic and identifies the specific NSG rule that’s allowing or blocking the connection. Don’t forget to check your operating system’s firewall settings, such as Windows Firewall or Linux iptables, to ensure they aren’t clashing with your NSG setup.

Rule conflicts can occur when overlapping rules lead to unexpected behaviour. Since NSG rules are processed in order of priority, a broad "allow all" rule with a lower priority number could override more specific "deny" rules. To avoid this, carefully review and organise your rule priorities. A good rule of thumb is to bind NSGs to subnets rather than individual virtual network interfaces. This reduces complexity and makes troubleshooting easier. After diagnosing the issue, refine your NSG configuration accordingly.

NSG Best Practices for SMBs

Simplify your NSG management by using clear, descriptive rule names and logical priorities. For example, a rule named "AllowAzureLoadBalancerInBound" immediately conveys its purpose.

Leave gaps in your priority numbering (e.g., 120, 220, 320) to make it easier to add new rules later without needing to renumber everything. Group similar virtual machines using Application Security Groups (ASGs) so you can apply a single rule to a logical group rather than individual IP addresses.

Instead of manually updating Azure IP ranges, use service tags. These are automatically updated by Microsoft to reflect changes in Azure service IPs. Regularly audit your rules to remove redundancies and avoid overly permissive configurations, such as those allowing traffic from "0.0.0.0/0".

For added security, disable direct RDP and SSH access to your Azure virtual machines from the internet. Use Azure Bastion or a VPN connection for remote access instead. Monitoring traffic with NSG flow logs across all associated groups also provides a detailed audit trail and can help detect unusual network activity.

To strike a balance between security and performance, optimise your configurations. For instance, use IP ranges instead of listing individual IPs in your rules to reduce complexity and improve efficiency. Plan your virtual networks thoughtfully by dividing them into smaller subnets based on security needs, applications, or environments. This approach makes NSG management easier and strengthens your overall security.

For more tips on improving your Azure setup, including cost management, performance tweaks, and security advice, check out Azure Optimization Tips, Costs & Best Practices.

Conclusion and Key Takeaways

Network Security Groups (NSGs) play a critical role in securing Azure infrastructures, especially for small and medium-sized businesses. This guide has walked you through the essential steps - from planning to ongoing monitoring - giving you the tools to implement effective network security measures.

The success of an NSG implementation starts with proper planning. Instead of diving straight into configuration, take the time to design a security strategy that aligns with your application architecture and network setup. Think about how NSGs can complement other Azure security tools like Azure Firewall and Azure Bastion to create a well-rounded defence system. This careful preparation helps you avoid costly errors and ensures your security measures meet your organisation's needs.

When it comes to configuration, clarity and organisation are essential. Use intuitive naming conventions for your rules so their purpose is immediately clear. Leave gaps in your rule priority numbering to make future updates easier, and leverage Application Security Groups to streamline management. NSGs are designed to handle even complex environments, so laying this groundwork ensures scalability and simplicity.

After configuration, continuous management becomes the priority. Regularly review and update your security rules to reflect changes in your business. Enable NSG flow logs on critical subnets and all associated NSGs to maintain visibility into your network traffic. This proactive approach ensures your network remains secure and adaptable.

FAQs

How can I optimise my Azure NSG rules for better security and performance?

To keep your Azure NSG rules working effectively for both security and performance, it’s crucial to prioritise and organise them thoughtfully. Start by assigning lower priority numbers (indicating higher priority) to the most restrictive rules. Avoid using overly broad rules, as they can permit unnecessary traffic or slow down performance.

Be precise when defining source and destination IP addresses and ports to reduce unnecessary filtering. Check traffic logs regularly to spot patterns, cut down on bandwidth-heavy traffic, and fine-tune your rules. Also, keep the number of rules within a manageable range to stay under the maximum limit of 1,000 rules per NSG.

Using clear and consistent naming conventions for your rules can make them easier to read and manage. Regular updates, informed by traffic analysis and periodic security audits, will help maintain strong performance and robust protection.

How can I effectively monitor and troubleshoot Azure NSGs to ensure network security?

To keep your network secure with Azure NSGs, begin by turning on NSG flow logs through Azure Network Watcher. These logs provide visibility into IP traffic, helping you detect any unusual or suspicious activity. Alongside this, make use of diagnostic tools like connection troubleshoot and security rule diagnostics to confirm your NSG rules are working as intended and to quickly pinpoint any connectivity problems.

Make it a habit to review flow logs regularly and configure alerts for any unusual patterns. This proactive approach allows you to tackle potential threats early, keeping your network secure and running smoothly.

How do Azure NSGs work with Azure Firewall and Azure Bastion to strengthen network security?

Azure Network Security Groups (NSGs) integrate effortlessly with Azure Firewall and Azure Bastion, creating a multi-layered defence strategy for your network. NSGs act as filters at the subnet or network interface level, ensuring that only authorised traffic is allowed to flow. This works in tandem with Azure Firewall, which provides advanced threat protection and stateful inspection to guard against complex attacks.

Meanwhile, Azure Bastion adds another layer of security by enabling secure RDP and SSH access to virtual machines through private IPs, eliminating the need to expose them to the public internet. By setting up NSGs to allow traffic exclusively from Azure Bastion, you can maintain strict control over VM access. Together, these tools minimise potential vulnerabilities and provide strong security for your Azure setup.

Related posts

• Checklist for Securing Azure Data in Transit
• Azure Performance Baseline: Step-by-Step Guide
• 5 Steps to Implement Zero Trust in Azure
• Azure NSG Flow Logs: Setup Guide