Christmas Offer - Every Learner Must Check Out - Flat 88% OFF on All Access Pass
00
days
:
00
hours
:
00
minutes
:
00
seconds
PyNet Labs- Network Automation Specialists

What is Network Security Groups (NSGs) in Azure?

Author : PyNet Labs.
Last Modified: July 12, 2024 
Date: July 12, 2024
A blog featured image for a blog with title - What is Network Security Groups in Azure

Introduction

Network security is a critical factor that most organizations are now focusing on since the reliance on the cloud environment is rapidly increasing. Due to the increase in cloud services, old-school network security approaches cannot provide an efficient solution to contemporary security threats. Microsoft Azure is aware of such challenges and provides durable solutions in the form of Azure Security Groups; these include Azure Network Security Groups (NSGs) and Azure Application Security Groups (ASGs).

In this blog post, you will be learning Azure Network Security Groups, exploring what they are, how they work, and the importance of NSG rules. We will also discuss flow logs, which assist in ensuring the security and efficiency of your network.

For your better understanding, we have also discussed the basic difference between Azure NSG and Azure Firewall.  To delve deeper into these functionalities and master Azure security best practices, consider enrolling in a Microsoft Azure combo training.

Let’s first understand what NSG in Azure really is.

What are Network Security Groups (NSG)?

Network Security Groups, or NSGs, is a service in Microsoft Azure that can control the incoming and outgoing network traffic. Some consider it to be another layer of security to Azure Virtual Network since it serves as a firewall helping to regulate the traffic. NSG can be used to describe the rules that specify whether certain types of traffic can or should be passed through your Azure virtual network.

So, how does it work?

  • When data packets are transmitted to your Azure Vnet, they undergo evaluation based on the set rules in your NSG.
  • The rules are executed in a sequence starting with the rule of priority.
  • If a rule aligns with the packet, the defined action in that rule is carried out (such as allow or deny).
  • In cases where no rule corresponds to the packet, the default rule comes into effect (deny rule).

Now, let’s look into the flow of network traffic and the rule enforcement protocol that Azure NSG follows:

  • Incoming traffic: When data packets attempt to enter a Vnet protected by a Network Security Group (NSG), they must adhere to the NSG set of rules. Each rule is verified individually. If the traffic aligns with any of the “allow” rules, entry is permitted. However, if it does not meet any “allow” rules, it gets blocked, regardless of whether it matches a “deny” rule.
  • Outgoing Traffic: Likewise, when data packets aim to exit a Vnet, they are evaluated against the NSG rules. If a packet aligns with an “allow” rule, it can proceed. In cases where no “allow” rule matches, packet access is blocked even if it corresponds with a “deny” rule.

The act of examining rules and determining whether to allow or deny traffic is called “rule enforcement.” NSGs employ a “rule enforcement mechanism”, which involves keeping track of allowed or denied actions to enhance efficiency and security.

For better understanding, we have shared an image which shows the process of rule enforcement.

The process of Rule enforcement in Network Security Groups in Azure

Now that you have a basic understanding of NSG in Azure and the flow of network traffic. Let us now discuss the Rules and their purpose.

NSG Rules and its Purpose

NSG rules are the heart of Azure network security. Each rule is like a specific instruction that tells the NSG what to do with certain types of traffic.

Below, we have explained some of the default NSG rules along with their purpose.

AllowVnetInbound

This particular regulation allows inbound traffic from within the VNet. It comes in handy when you have VMs or subnets within your VNet that want to communicate with each other.

AllowAzureLoadBalancerInBound

This rule allows inbound traffic from the Azure Load Balancer. It proves beneficial when utilizing Azure Load Balancer to distribute traffic to your VMs.

DenyAllInbound

This rule denies all inbound traffic. It serves a purpose when you aim to restrict all traffic to your VNet.

AllowVnetOutbound

This particular rule allows the flow of data i.e., outbound traffic to VNets. It comes in handy when you wish to interact with VNets under your subscription.

AllowInternetOutBound

This specific rule facilitates the flow of data (outbound traffic) to the Internet. It proves beneficial when you require access to resources or services.

DenyAllOutbound

This rule denies any form of traffic. It is practical when you aim to restrict all outbound traffic originating from your Virtual Network (VNet).

Before getting into Azure Network Security Groups’ Flow Logs, let’s first understand how NSG in Azure works.

How do Azure Network Security Groups Work?

The Network Security Groups can be configured with security rules that specify:

  • Direction: Inbound or outbound traffic.
  • Source/Destination: IP addresses or ranges, service tags, or Azure resource IDs.
  • Protocol: TCP, UDP, ICMP, or any other supported protocol.
  • Port Range: Specific ports or ranges.
  • Action: Allow, deny, or log.
Explanation of How Network Security Groups work

Traffic flow:

  1. Traffic from the internet with a public IP address (203.0.113.100) arrives at the NSG.
  2. The Network Security Groups examines the traffic based on the configured security rules.
  3. If a rule matches and allows traffic, it is passed to the virtual machine.
  4. If a rule matches and denies traffic, the connection is blocked.
  5. If no rule matches, the default rule (which is usually “Deny”) is applied.

Let’s now discuss one of the most important Microsoft Azure features that assist network security groups i.e., NSG Flow Logs.

Azure NSG Flow Logs

It is one of the most resourceful tools which provides information regarding the network traffic that transverses an Azure NSG. It provides precise data about the network packets that format the security group. Information that is part of the log file may comprise the source IP address, destination IP address, the protocol used, the number of bytes passed through, and the action taken by the Network Security Groups, which could either be allow or deny.

But how do such flow logs work? Let’s look into it.

  • Traffic flow: Each time a network packet goes through any NSG, details of this packet are recorded. These details may consist of source and destination IP Addresses, port numbers, protocols used, and the live-action whether passing through the firewall was authorized or not.
  • Data storage: The information is then stored in a log file for later use and analysis because the log file information can later be cross-referenced with the current system’s log file. This log file is specifically presupposed in Azure storage.
  • Log analysis: They can then be used on their own or analyzed with the intention of giving an understanding of the network traffic. This will also help in establishing security threats and abetting network problems in the future.

Note: To start using the Azure NSG Flow Logs, there is a requirement to switch ON the logs feature and specify the storage account where the logs will be saved. When enabled, these flow logs are created and can be parsed and analyzed via other tools depending on the organization, such as Azure Log Analytics, Power BI, or generalized network analytical tools.

Now that you have a good knowledge of Azure Network Security Groups Flow Logs. However, the question that arises is, what are its use cases? Let’s discuss different applications of Azure NSG Flow Logs.

Use Cases of Azure NSG Flow Logs

Below, we have discussed the different use cases of Azure NSG Flow Logs.

  • Security Monitoring: With the help of NSG Flow Logs, you can easily identify suspicious activity on your network. For example, if there is an unexpected spike in traffic to a particular resource, you can track it via NSG Flow Logs.
  • Network Troubleshooting: Let’s suppose a service stopped working. With the help of NSG Flow Logs, you can pinpoint the source of the problem as it will indicate which traffic is being blocked or allowed. For example, if a specific IP address is being denied, it simply indicates a firewall issue.
  • Compliance and Auditing: Maintain records of network traffic for regulatory or legal requirements.
  • Network Performance Optimization: NSG Flow Logs can help you in getting a deeper understanding of network traffic patterns. This will allow you to optimize resource allocation, load balancing, and other network configurations.

Many of you get confused between NSG in Azure and Azure Firewall as both are used to protect your network from any attacks. Still, there are some major differences between the two. Let’s discuss this in detail.

Difference between Azure Network Security Group and Azure Firewall

Below, we have discussed the basic difference between the two based on different factors in a tabular form for better understanding.

FactorsAzure Network Security Group (NSG)Azure Firewall
PurposeControls incoming and outgoing traffic at the subnet or NIC levelActs as a fully managed, cloud-based network security system
Security RulesSupports up to 500 security rulesSupports up to 10,000 security rules
Traffic InspectionOnly inspects traffic at Layer 3 and 4 (IP and port)Inspects traffic at Layers 3, 4, and 7 (IP, port, and application)
ScalabilityLimited scalability, especially for large environmentsHighly scalable and can handle massive traffic volumes
PricingPriced per hour, based on the number of NSGsPriced per hour, based on the number of Firewall instances
ManagementCan be managed using Azure Portal, CLI, or PowerShellCan be managed using Azure Portal, CLI, or PowerShell, with additional features like threat intelligence and analytics
IntegrationIntegrates with Azure Virtual Machines, Azure Storage, and Azure Kubernetes ServiceIntegrates with Azure Virtual Networks, Azure Application Gateway, and Azure Front Door

Frequently Asked Questions

Q1 – What are network security groups?

NSG in Azure or Network Security Groups are like virtual firewalls. It controls both the incoming as well as outgoing network traffic in a virtual network. Apart from this, it also assists in blocking or allowing specific types of traffic based on rules.

Q2 – What is firewall vs network security groups?

A firewall is a device mainly used to control traffic between networks. Network Security Groups are virtual firewall rules that control traffic within a virtual network. They also filter incoming and outgoing traffic.

Q3 – What are security groups?

Security groups can be described as sieves through which traffic flow in and out of a computer or a network is regulated. This will also assist in protecting it from annoying bad guys and any other unauthorized persons.

Q4 – What is network security groups in OCI?

In OCI, NSGs are virtual firewalls that apply at the Subnet level to contain and regulate traffic flows at the network level based on the established rules for security in your cloud resources.

Conclusion

Azure Network Security Groups is a security application that assists in protecting your network in the Azure environment. Now, knowing how NSG rules function and how NSG Flow Logs can be used, you can easily control the traffic in your VNet. In this blog, you have learned what NSG in Azure is, it’s working structure, NSG flow logs, and the fundamental differences between Azure NSG and Azure firewalls.

If you have any questions or comments, please feel free to leave them below!

Recent Blog Post

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram