Network Security Group (NSG)

Network Security Group (NSG) helps to filter inbound and outbound traffic from Azure Virtual Machine and PAAS(Web and Worker Role - Classic Model). These rules can be applied on the Network Interface Card(NIC), Subnet, and in the Network Configuration Schema. It function as a mini firewall. Rules are evaluated based on the weight assigned to them. Lower weight will be evaluated first. By default, it contain at least 3 inbound (AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound) and 3 outbound rules(AllowVnetOutBound, AllowInternetBound, DenyAllOutBound).

NSG can be applied using portal, PowerShell, CLI and using Template and easy way is via portal.

NSG FAQ

1. How can I check if my rules are applied or not?
Ans: Using the built in tool Network Watcher you can verify is rules is being applied and working or not. Remember, Network Watcher needs to be enabled before performing check.


2. How to know which rules will be evaluated first? / How priority is defined in NSG?
Ans: All rules are evaluated based on their weight/priority. Smaller the value (higher priority) will be evaluated first.  

3. What are the resources that I can protect using NSG?
Ans: NSG can be applied to subnet. So, all the resources can generate network traffic or have IP address enabled can be protected using NSG. Ex. Virtual Machine, where NSG will be attached to NIC. 

4. Does it replace deploying third party firewall?
Ans: No, the objective of Firewall and NSG is very different, however NSG also works as a firewall with very limited functionality.  

5. Is there any limitation of NSG?
Ans: By default we are able to create upto 100 NSG group's and under each group maximum of 200 rules are allowed. If you need more, then we need to open support ticket with Microsoft.

How to apply NSG using Azure Portal 

Step 1: In Azure ARM Portal, Click at +
Step 2: Search for Network Security Group


Step 3: Select Network Security Group
Step 4: Create
Step 5: Specify Name, Subscription, Resource Group and Location 
Step 6: Create and wait till its Deployed 
Step 7: Click at Go to Resource


Step 8: Following User Interface will be displayed.


Step 9: From Setting blade, Configure Inbound, Outbound Rule as required and attached it to the Network Interface or Subnet.

Comments

Popular posts from this blog

Deploy Palo Alto in Azure

Demystifying System and User Define Routes of Azure

Azure Private DNS Zone - App Service Environment V2 Step by step - Part 2