An NSG contains a list of rules that allow or deny network traffic for resources associated with VNets.
Currently, there are the following types of NSGs:
- NSG applied to a NIC
- NSG applied to a subnet
- NSG applied to a VM (only available in a classical deployment)
If an NSG is associated with a subnet, the rules apply to all resources that are connected to the subnet. However, you can further restrict your data traffic by setting up NSGs for NICs or VMs.
An NSG cannot be used concurrently with an endpoint access control list (ACL). We come next to the keyword rules, or rather NSG rules. In principle, rules are offered in two categories, namely rules for incoming traffic and rules for outgoing traffic. As an action for all rules, only the following operations are possible: allow traffic – deny traffic.
Let's look at the NSG rules in more detail. An NSG rule consists of the following properties:
Property |
Description |
Constraints |
Name |
Name for the rule. |
Must be unique within the region. Can contain letters, numbers, underscores, periods, and hyphens. |
Protocol |
Protocol to match for the rule. |
TCP, UDP, or *. |
Source port range |
Source port range to match for the rule. |
Single port number, port range, or * (for all ports). |
Destination port range |
Destination port range to match for the rule. |
Single port number, port range, or * (for all ports). |
Source address prefix |
Source address prefix or tag to match for the rule. |
Single IP address, IP subnet, or * (for all addresses). |
Destination address prefix |
Destination address prefix or tag to match for the rule. |
Single IP address, IP subnet, or * (for all addresses). |
Direction |
Direction of traffic to match for the rule. |
Inbound or outbound. |
Priority |
Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching. |
Number between 100 and 4,096. |
Access |
Type of access to apply if the rule matches. |
Allow or deny. |
All NSGs contain a set of standard rules after creation. The default rules cannot be deleted, but have the lowest priority and can be overridden by self-created rules.
The standard rules allow or deny data traffic:
- Virtual network: Data traffic is allowed from or to a virtual network in the incoming and outgoing direction.
- Internet: Outgoing traffic is allowed. Incoming traffic is blocked.
- Load balancing: Allow Azure to check the integrity of the virtual machines and the role instances. You can override this rule if you do not use load balancing.