Configuring Inbound and Outbound Rules in Azure NSGs

Introduction

Network Security Groups (NSGs) in Azure are fundamental in managing network traffic to and from Azure resources. Configuring inbound and outbound security rules is key to maintaining a secure and efficient cloud environment. This guide will walk you through the process, highlighting all the essential fields and how they change based on the source value.

What are NSG Security Rules?

Azure NSGs contain rules that control inbound and outbound network traffic. Inbound rules manage the traffic coming into our resources, while outbound rules control the traffic leaving them. Each rule in an NSG allows or denies traffic based on several criteria like source, destination, port, and protocol.

Fields in NSG Security Rules

When configuring both inbound and outbound rules in an NSG, we will encounter the following fields:

• Source
  • Description: Specifies where the network traffic originates.
  • Possible Values: IP Addresses/Ranges, Service Tags, Application Security Groups (ASGs), 'Any', 'My IP Address'.
• Source port ranges
  • Description: Defines the port(s) on the source side that the rule applies to.
  • Possible Values: Single port (e.g., '80'), port ranges (e.g., '1000-2000'), or '*' for any port.
• Destination
  • Description: Identifies the destination of the network traffic.
  • Possible Values: IP Addresses/Ranges, Service Tags, Application Security Groups (ASGs), 'Any'.
• Service
  • Description: Allows us to choose predefined destination services such as RDP, SSH, etc., and their respective port ranges and protocols will be populated. The default is Custom, which allows us to specify the destination port ranges and protocol.
  • Allowed Values: The list is long but includes RDP, SSH, HHTP, HTTPS, Custom, etc.
• Destination port ranges
  • Description: Specifies the port(s) on the destination side that the rule applies to.
  • Possible Values: Single port (e.g., '443'), port ranges (e.g., '8000-8080'), or '*' for any port.
• Protocol
  • Description: The network protocol to which the rule applies.
  • Possible Values: 'TCP', 'UDP', 'ICMP', or '*' for any protocol.
• Action
  • Description: Determines whether the rule allows or denies traffic.
  • Possible Values: 'Allow', 'Deny'.
• Priority
  • Description: A number indicating the precedence of the rule (lower numbers have higher priority).
  • Possible Values: Any number between 100 and 4096.
• Name
  
  • Description: A unique identifier for the rule.
  • Possible Values: Any user-defined name.
• Description (optional)
  • Description: Provides additional information about the rule.
  • Possible Values: Any user-defined text.

Based on source field selection, additional fields may be available. Possible values for the source field and additional fields based on source field values selection are as follows:

• Any
  • Description: Represents traffic from all possible IP addresses.
  • Additional Fields: None required. Selecting 'Any' implies the rule applies universally, without IP address-based filtering.
• IP Addresses
  • Description: Specifies traffic from individual IP addresses or a range of IP addresses.
  • Additional Fields:
    • Source IP addresses/CIDR ranges: You need to specify the specific IP address (e.g., 192.168.1.1) or range of addresses (e.g., 192.168.1.0/24) for the rule. We can also provide multiple IPs or ranges separated by commas.
• My IP Address
  • • Description: Automatically uses the public IP address of your current internet connection.
    • Additional Fields: This option dynamically sets the Source IP addresses/CIDR ranges to our current public IP address.
• Service tag
  • Description: Represents a group of IP address prefixes from Azure services (like Azure Storage, Azure SQL Database, etc.), simplifying rule management.
  • Additional Fields:
    • Service Tag Selection: You need to select from a list of predefined Azure service tags (e.g., VirtualNetwork, Internet, AzureLoadBalancer, etc.).
• Application security group
  • Description: Allows us to define the source as a group of VMs using ASGs.
  • Additional Fields:
    • Source application security groups: Choose from the Application Security Groups defined within our Azure environment.

Overview of Steps to Configure NSG Rules

Accessing NSG Settings

1. Log into Azure Portal.
2. Navigate to the 'Network Security Groups' section.
3. Select the NSG you wish to configure.

Adding/Editing a Rule

1. Choose either 'Inbound security rules' or 'Outbound security rules'.
2. Click 'Add' to create a new rule or select an existing rule to edit.
3. Fill in the necessary fields:
   • Name, Priority, Action, Protocol.
   • Source/Destination: Choose the appropriate type and fill in the details.
   • Source/Destination Port Ranges: Specify the ports.
4. Add a Description if needed.
5. Save the rule.

Best Practices

• Prioritize Rules Carefully: The priority determines the order in which rules are processed.
• Be Specific: Narrow down the source and destination to minimize potential security risks.
• Regularly Review Rules: Ensure that your rules are up-to-date and remove any that are no longer needed.

Conclusion

Configuring inbound and outbound rules in Azure NSGs is a critical task for managing your cloud environment's security. By understanding the various fields and how to effectively use them, you can ensure your Azure resources are well-protected and accessible as needed.

See also

• Understanding Network Security Groups (NSGs) in Azure