Q: What are Network Security Groups?

A: Network Security Groups allow rules to be defined that control the types of traffic permitted between virtual subnets in an Azure virtual network and even between specific virtual machines. This is very useful if you want controlled traffic flow between virtual subnets in Azure.

There are two primary phases to use Network Security Groups. First, create one or more rules, then apply the rules to a virtual subnet or virtual machine. Note that rules can be applied to both a virtual machine and the virtual subnet that the virtual machine resides in. The rules assigned to the virtual subnet are applied first, then the rules are applied to the virtual machine. This configuration effectively gives the virtual machine two layers of protection. Network Security Group rules use 5-tuple:

  • Source IP address (can be a range using CIDR format)
  • Source port
  • Destination IP address (can be a range using CIDR format)
  • Destination port
  • Protocol (TCP, UDP, or *)

For the explicit rules, see "About Network Security Groups." These rules have very low priorities (65000 and lower), which means you can override these defaults with your own rules. When you create rules, there are three special system-provided identifiers you can use to identify certain special types of traffic:

  • VIRTUAL_NETWORK: Identifies traffic within the virtual network address space and for connected networks such as another virtual network or on-premises network
  • AZURE_LOADBALANCER: The Azure infrastructure load balancer
  • INTERNET: IP address space external to the virtual network that's reachable from the Internet

Network Security Group rules are created using PowerShell, specifically the Set-AzureNetworkSecurityRule cmdlet. The rules are applied to a Network Security Group that's created with New-AzureNetworkSecurityGroup.

The first step is to create a new Network Security Group that's created within a specific region (i.e., the same region the Network Security Group can be used in). In the following example I create a new Network Security Group in the eastern United States.

New-AzureNetworkSecurityGroup -Name "NSGFrontEnd" -Location "East US" `
-Label "NSG for FrontEnd in East US"

The next step is to apply a rule to the newly created Network Security Group. This rule allows all traffic from the Internet. Multiple rules can be added to a single group.

Get-AzureNetworkSecurityGroup -Name "NSGFrontEnd" |
Set-AzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 100 `
-Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' `
-DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol TCP

To apply a Network Security Group to a virtual machine, use the following code:

Get-AzureVM -ServiceName $service -Name $VM |
Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "NSGFrontEnd"

To apply a Network Security Group to a virtual subnet, use:

Get-AzureNetworkSecurityGroup -Name "NSGFrontEnd" |
Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName 'VNetTest' `
-SubnetName 'FrontEndSubnet'