Network Security Group
An Azure Network Security Group (NSG) is a core component of Azure’s security. You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. Network (VNet).
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Each rule in a NSG specifies the following properties:
Rule | Property |
Name | A unique name within the network security group. |
Priority | A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed. |
Source/Destination | This setting defines the source or destination of the network traffic. It can be set to “Any” for traffic from anywhere, or you could lock it down to a single IP address or an IP range. |
Protocol | TCP, UDP, ICMP, ESP, AH, or Any. |
Direction | This setting defines the direction of the network traffic, and you can set it to either Inbound or Outbound. |
Port Range | The port range setting describes the port or port range of the rule. You can specify a single port, e.g., 443, or a range of ports, e.g., 1000-2000. |
Action | This setting defines what action needs to be done, "Allow" or "Deny" |
Default Security rules:
When you create an Azure NSG, Azure creates the following default rules in each network security group.
Azure Network security groups execute rules in order of priority, with the lower numbered priorities processed before high numbers.
Create a Network security group
- On the Azure Portal, select Create a resource -> Networking -> Network Security Group
- In the Create network security group page, under the Basics tab, set values for the following settings:
Setting | Action |
Subscription | Choose your subscription. |
Resource group | Choose an existing resource group, or select Create new to create a new resource group. |
Name | Enter a unique text string within a resource group. |
Region | Choose the location you want. |
- Select Review + create.
- After you see the Validation passed message, select Create. To view your network security groups. Search for and select Network security groups. The list of network security groups appears for your subscription.
Create a security rule
- In Azure Portal, Search for and select Network security groups. Select the name of the network security group you want to add a security rule to. In the network security group's menu bar, choose Inbound security rules or Outbound security rules.
- Select Add. Select or add values for the following settings, and then select OK:
Source: MS Learn