Logo
Get A Demo
Get A Demo
  1. Home
  2. Blog
  3. Cloud Security
  4. Unlocking the Power of Azure Network Security Groups

Last updated December 17th, 2024 by Avigdor Book

While slower to market than AWS, Microsoft Azure was a light lift for many companies that were already invested in the Microsoft ecosystem. By offering a direct connection with Active Directory (AD) through Azure AD and native support for PowerShell-based scripting, transition to Azure made sense for many Microsoft shops.

One of the many security mechanisms that Microsoft Azure provides is its Azure Network Security Groups (NSGs). NSGs play an integral role in controlling the traffic entering and leaving your Azure resources, shaping a secure and manageable cloud environment.

Each Azure subscription can have multiple NSGs, which can be associated with various Azure resources within a resource group. The rules in an NSG can be customized to suit your business needs, ensuring a secure Azure Virtual Network (VNet) and effective Azure security.

As you incorporate more Azure services, understanding how to use NSGs effectively can improve your network security.

What are security groups in Azure?

Azure Network Security Groups in Azure are like bouncers at a nightclub. They control the flow of traffic to and from Azure resources, such as subnets and network interfaces attached to virtual machines. At a high level, they consist of two types of rules:

  • inbound security rules: defining the network traffic allowed or denied into the network
  • outbound security rules: defining the network traffic that can leave internal networks for the public internet

To manage your NSGs, Microsoft provides Azure Resource Manager, a deployment and management service. This layer provides management features like:

  • Access controls
  • Locks
  • Tags

Additionally, all capabilities in the Azure portal are available through:

  • PowerShell
  • Azure CLI
  • REST APIs
  • Client SDKs

What is the difference between a network security policy and a network security group?

The NSGs filter traffic between Azure resources in an Azure virtual network, essentially allowing the different resources to communicate with each other. The network security policy defines who has access to network resources, defining the network traffic allowed in and communications allowed out.

These rules to allow or deny network traffic are based on properties like:

  • IP address
  • Source Port and Destination port
  • Protocol (TCP, UDP, ICMP)

You can define as many rules for a network security as you want, as long as you stay within your subscription’s bounds.

What is in a security rule?

Each rules contains the following:

  • Name: unique identification within the NSG
  • Priority: Higher priority rules are processed first
  • Source or destination: Definitions include Any, an individual IP address, classless inter-domain routing (CIDR) block, service tag, or application security group
  • Protocol: TCP, UDP, ICMP, ESP, AH, or Any
  • Direction: inbound or outbound
  • Port range: individual or range of ports
  • Action: Allow or deny

When you create multiple rules that allow communications between the different resources, you create a network security group.

You should keep in mind the following:

  • Removal of a security rule from an NSG may not interrupt existing connections
  • Modifications to network security group rules only affects new connections

What is the difference between ASG and NSG in Azure?

Although Application Security Groups (ASG) and Network Security Groups (NSG) both help secure virtual networks, they work differently.

NSGs acts as a basic, stateful, flexible firewall managing network traffic between Azure resources in a virtual network.

Application security groups create groups of virtual machines based on different application tiers. The platform handles the explicit IP addresses and multiple rule sets, so you can focus on business logic. By using application security groups, you can create rules that control traffic to network interfaces at a more granular level.

How do NSGs work?

Let’s dive deeper into Azure NSGs through an example. Suppose you have a web server hosted on an Azure virtual machine. You want to allow incoming HTTP and HTTPS traffic, but you also need to restrict outgoing traffic for additional security.

You can achieve this by configuring an NSG with inbound security rules allowing HTTP (port 80) and HTTPS (port 443) traffic. Outbound traffic can be restricted by configuring the outbound security rules. This configuration ensures that your web server is accessible to your customers while securing it from potential threats.

Using Microsoft’s scripting language, PowerShell, you can manage NSGs by:

  • Creating new rules and NSGs
  • Configuring security rules
  • Automating processes to reduce errors and save time

Additionally, Azure NSGs come with default rules. These rules cannot be deleted but can be overridden by defining higher-priority custom rules. Understanding these default rules can help configure your NSGs more effectively.

Managing inbound traffic with NSGs

Azure processes NSG rules for inbound traffic in the following order:

  • Subnet
  • Network interface

Some additional considerations:

  • The default security rule is to deny all inbound traffic.
  • A virtual machine whose network interface is not associated to an NSG will follow the allow or deny rules in its subnet if the NSG is associated with a subnet.
  • A subnet not associated with an NSG will follow the NSG associated with the network interface attached to the virtual machine.
  • When neither a subnet nor a virtual machine are associated with an NSG, all network traffic is blocked.

Managing outbound traffic with NSGs

Azure processes the outbound traffic rules in the opposite order of its inbound processing:

  • Network interface
  • Subnet

Some additional considerations:

  • The default security rule will allow traffic unless you create a specific rule to deny outbound traffic on a port.
  • A virtual machine not associated with an NSG will allow traffic through the network interface to the subnet.
  • All traffic will be allowed if no virtual machine, network interface, or subnet is associated with an NSG.

Managing intra-subnet traffic with NSGs

You should consider how an NSG’s security rules for a subnet impact the virtual machines within it. Any rules that deny all inbound or all outbound traffic will affect the default rule allowing all virtual machine intra-subnet communication.

Some considerations include:

  • Reviewing the effective security rules for a network interface
  • Using IP flow verify to determine whether communications are allowed or denied

Best Practices for Managing NSGs and Network Security

Microsoft’s experts provide several suggestions for implementing best practices for Azure security. To manage your NSGs, you can use the Azure portal for reviewing flow logs that test and verify connectivity to and from different IP addresses, including virtual machines and public IPs. However, managing your Azure security along with an on-premises data center or in a multi-cloud environment can be challenging.

Implement robust network controls

Using Azure virtual networks allows you to connect Azure virtual machines and appliances to other devices. When planning your network architecture, you should centralize the management and governance of network elements and security functions, including:

  • ExpressRoute
  • Virtual network and subnet provisioning
  • IP addresses

Tufin supports Azure Resource Manager, enabling you to consolidate all security policy and NSG management activities in a single console. If you have a multi-cloud or on-premises you need to manage, our vendor-agnostic Unified Security Policies (USPs) allow you to create consistent rules across all firewall vendors.

Segment subnets logically

Similar to how you would manage an on-premises network, you want to place all your Azure virtual machines on a private IP address space.

When segregating subnets, you should:

  • Avoid broad ranges: Specific rules, rather than broad IP address ranges, reduce risk.
  • Create network access controls between subnets: NSGs can protect against unsolicited inbound traffic with simple, stateful packet inspection.
  • Ensure simplicity and flexibility: Defining subnets broadly reduces time and effort spent when you add more resources.
  • Use application security groups: NSG management can be simplified by creating ASGs for IP addresses that might change or be used across multiple NSGs.

In complex network environments, gaining visibility into connectivity across all resources becomes challenging. Using Tufin’s network topology maps, you gain comprehensive visibility and insights with a central hub of security truth that allows users to visualize and handle all network traffic and network nodes from a single console.

Further, with our pre-defined regulatory compliance templates, you can easily define segmentation policies in alignment with mandates to ensure you properly segregate the environment and manage security zones across multiple vendors.

Use a Zero Trust Architecture

While virtual private networks (VPNs) have been a go-to solution for remote access, Zero Trust Network Access (ZTNA) provides a more granular approach with access controls that apply the principle of least privilege.

Some best practices for Azure security include:

  • Use conditional access: Microsoft Entra Conditional Access allows you to automate access control decisions based on device, identity, assurance, network location, and other attributes.
  • Use just-in-time access: Microsoft offers tools to help you grant temporary permissions to virtual machines or when users need to perform privileged tasks.

With Tufin, you can consistency and automatically apply any level of segmentation across:

  • Microservices
  • Network zones
  • User IDs
  • App-IDs

By using Tufin as an orchestrator across zones, tags, and namespaces, NSGs, and firewall rules, you can enforce your segmentation and access controls across cloud environments and datacenter, following the workload wherever you deploy it.

Azure NSGs with Tufin

To make the most of Azure NSGs, and managing them in a hybrid cloud environment, it is important to have a network security solution.

Tufin, a pioneer in firewall management, offers solutions such as Security Policy Management for Microsoft Azure Firewalls, NSGs and NVAs. With Tufin, you can visualize your entire firewall network topology and manage your Azure NSGs more effectively.

With Tufin’s Unified Security Policies (USPs), you can create vendor-agnostic security policies to manage network security and connectivity across your Azure services or multi-cloud environment. Our USPs enable you to implement and maintain mission-critical compliance across Azure, AWS, GCP, and on-premises data centers.

Our workflows allow you to proactively review risks during the change management process, ensuring that you maintain security while reducing service outages.

Tufin augments your firewall optimization efforts by streamlining the management of firewall rules and policies. This way, you can ensure the optimal performance of your Azure resources.

In addition Tufins latest release highlights include best-in-class network access automation and security policy management for Microsoft Azure (including Azure Firewall), resulting in better network visibility.

FAQs about Azure Network Security Groups

What are network security groups in Azure?

Network Security Groups (NSGs) in Azure are security features that allow or deny inbound and outbound network traffic to Azure resources such as virtual machines and subnets. They are key elements of Azure network security. Check out this article for a look at how Tufin enhances your Azure network security.

Are there security groups in Azure?

Yes, Azure provides Network Security Groups (NSGs) and Application Security Groups (ASGs). While NSGs are responsible for controlling traffic to and from Azure resources, ASGs are used to group web servers with similar functions, such as a group of Windows servers. Learn more about security groups and segmentation here.

What is the difference between Azure WAF and NSG?

Azure Web Application Firewall (WAF) and Network Security Group (NSG) are both security features in Azure. However, while NSGs function at the network layer (Layer 3) and control access to networks, WAF works at the application layer (Layer 7) and protects web applications from common web-based attacks. Learn about consolidating your Azure network security policies, in one central location here.

Wrapping Up

In summary, Azure Network Security Groups are a vital tool for protecting your network in the cloud. Coupled with Tufin’s solutions, you can ensure that your network is secure, optimized, and compliant with regulatory requirements. Tufin provides an unparalleled firewall management experience that elevates your Azure security. Ready to experience the difference?Request a demo today.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image

Related Posts

Firewall Design Best Practices
Firewall Design Best Practices
Firewall Deployment Best Practices
Firewall Deployment Best Practices
Application Firewall Review: Understanding WAFs and How They Protect Your Applications
Application Firewall Review: Understanding WAFs and How They Protect Your Applications
Enhancing Network Security with Tufin and Microsoft: Top Use Cases and Innovations in from Tufin and Microsoft
Enhancing Network Security with Tufin and Microsoft: Top Use Cases and Innovations in from Tufin and Microsoft

Top Posts

How to Perform a Firewall Audit – Policy Rules Review Checklist
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
What is a Firewall Ruleset? How can it help me?
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Close