How to determine NSG Rules in Azure

What is a Network Security Group (NSG)?

An NSG (Network Security Group) is a set of security rules that allow or deny traffic to Azure resources, such as Virtual Machines (VMs) and subnets.

The rules in an NSG specify which traffic is allowed to flow to and from the associated resources based on several factors like source and destination IP addresses, protocols (TCP/UDP), ports, and more.

Network Security Groups (NSGs) in Azure are used to control inbound and outbound traffic to network interfaces (NICs), virtual machines (VMs), and subnets in a Virtual Network (VNet).

NSGs contain a list of rules that allow or deny traffic based on conditions such as source IP address, destination IP address, source port, destination port, and protocol (TCP/UDP).

Key Components of an NSG

Security Rules

Each rule defines criteria for matching network traffic and specifies whether that traffic is allowed or denied.

Priority

Rules are evaluated based on priority (lower numbers have higher priority). Once a match is found, the traffic is processed accordingly, and no further rules are evaluated.

Direction

NSG rules can be defined for inbound traffic (traffic coming into a VM or subnet) or outbound traffic (traffic leaving a VM or subnet).

Protocol

The rules can apply to specific protocols (TCP, UDP) or all protocols (*).

Source and Destination

Rules can be set based on IP address or CIDR range for both the source and destination. You can also use Azure service tags such as VirtualNetwork, Internet, and AzureLoadBalancer to simplify rule creation.

Ports

The rules apply to specific port ranges or a single port, such as 80 for HTTP or 443 for HTTPS.

Default NSG Rules

When you create an NSG in Azure, several default rules are automatically applied, even if you don't define any custom rules.

Default Rules

These default rules are implicit and cannot be deleted, though they can be overridden by custom rules with lower priority numbers.

AllowVNetInbound (Priority 65000)

Allows traffic from other resources within the same Virtual Network (VNet).

AllowAzureLoadBalancerInbound (Priority 65001)

Allows traffic from the Azure load balancer (used for inbound health probes and other services).

DenyAllInbound (Priority 65500)

Denies all other inbound traffic.

AllowVNetOutbound (Priority 65000)

Allows outbound traffic to other resources in the same VNet.

AllowInternetOutbound (Priority 65001)

Allows outbound traffic to the internet.

DenyAllOutbound (Priority 65500)

Denies all other outbound traffic.

Review Network Security Group (NSG) rules

To determine or review existing NSG (Network Security Group) rules in Azure, you will need to gather information about the NSGs that are associated with your resources.

This involves checking the rules applied to both subnets and network interfaces (NICs).

Depending on your preference, you can use Azure Portal, Azure CLI, PowerShell, or Azure Resource Manager (ARM) templates to retrieve the information.

Let’s walk through the different ways you can determine or view the existing NSG rules.

Using the Azure Portal

The Azure Portal provides a graphical interface to view, manage, and configure NSG rules.

Steps

1. Log in to the Azure Portal: Go to .

2. Navigate to Network Security Groups: In the search bar, type "Network Security Groups" and click on the result.

3. Select the NSG you want to review: If you know the name of the NSG, you can search for it directly. Otherwise, you can browse through the list.

4. Once inside the NSG page, there will be two sections:

   • Inbound security rules: Lists rules that control inbound traffic to the resources associated with the NSG (e.g., VMs, NICs).

   • Outbound security rules: Lists rules that control outbound traffic from those resources.

You will see a table for each section that includes:

• Rule Name: Name of the rule.

• Priority: The priority of the rule (lower numbers are higher priority).

• Direction: Whether the rule applies to Inbound or Outbound traffic.

• Protocol: The protocol the rule applies to (e.g., TCP, UDP, or * for all).

• Source/Destination: The IP address or range of addresses from which the traffic originates (source) or where it is destined (destination).

• Port Range: The port or port range the rule applies to (e.g., port 80 for HTTP).

• Action: Whether the rule allows or denies the traffic.

5. Review or Modify the Rules: If necessary, you can edit or add new rules directly from the portal.

Using Azure CLI

The Azure CLI provides a command-line interface to interact with Azure resources, including NSGs and their rules.

Steps

1. Install Azure CLI if you haven’t already. You can install it from .

2. Log in to Azure:

xxxxxxxxxx
1
1
az login

3. List all NSGs in a resource group:

xxxxxxxxxx
3
1
az network nsg list \
2
--resource-group <ResourceGroupName> \
3
--output table

4. List the rules for a specific NSG: To list the rules for a specific NSG, run:

xxxxxxxxxx
4
1
az network nsg rule list \
2
--resource-group <ResourceGroupName> \
3
--nsg-name <NSGName> \
4
--output table

This command will display the list of security rules associated with the NSG in a tabular format.

Example

xxxxxxxxxx
4
1
az network nsg rule list \
2
--resource-group MyResourceGroup \
3
--nsg-name MyNSG \
4
--output table

This will show the list of rules in MyNSG in tabular format.

Using Azure PowerShell

You can also use Azure PowerShell to determine NSG rules.

Steps

1. Install Azure PowerShell if you haven’t already. You can install it using this .

2. Login to Azure:

xxxxxxxxxx
1
1
Connect-AzAccount

3. Get the list of NSGs in a resource group:

xxxxxxxxxx
2
1
Get-AzNetworkSecurityGroup `
2
-ResourceGroupName <ResourceGroupName>

4. Get the NSG rules for a specific NSG:

xxxxxxxxxx
3
1
Get-AzNetworkSecurityRuleConfig `
2
-NetworkSecurityGroup <NSGName> `
3
-ResourceGroupName <ResourceGroupName>

Example

xxxxxxxxxx
2
1
Get-AzNetworkSecurityGroup `
2
-ResourceGroupName MyResourceGroup | Get-AzNetworkSecurityRuleConfig

This will show the security rules in the specified NSG.

Using ARM Templates

You can also use Azure Resource Manager (ARM) templates to export and review the configuration of your NSG, including all security rules.

Steps

1. Export the ARM Template for your NSG:

   • Navigate to the NSG in the Azure Portal.

   • In the left-hand pane, select Export Template under the Automation section.

2. The exported ARM Template will contain the configuration of the NSG in JSON format, including all security rules.

The rules will be under the "properties" -> "securityRules" section, which contains details like name, priority, protocol, source, destination, ports, and action.

Example

xxxxxxxxxx
30
1
"properties": {
2
  "securityRules": [
3
    {
4
      "name": "Allow-SSH",
5
      "properties": {
6
        "priority": 1000,
7
        "direction": "Inbound",
8
        "access": "Allow",
9
        "protocol": "Tcp",
10
        "sourceAddressPrefix": "*",
11
        "destinationAddressPrefix": "*",
12
        "destinationPortRange": "22",
13
        "sourcePortRange": "*"
14
      }
15
    },
16
    {
17
      "name": "Deny-All",
18
      "properties": {
19
        "priority": 65500,
20
        "direction": "Inbound",
21
        "access": "Deny",
22
        "protocol": "*",
23
        "sourceAddressPrefix": "*",
24
        "destinationAddressPrefix": "*",
25
        "destinationPortRange": "*",
26
        "sourcePortRange": "*"
27
      }
28
    }
29
  ]
30
}

NSG Flow Logs (for traffic analysis)

If you want to understand how traffic is being processed by your NSG rules (whether allowed or denied), you can enable NSG Flow Logs via Azure Network Watcher.

This will give you insights into the actual traffic that matches the NSG rules.

Steps to enable NSG Flow Logs

1. Navigate to Network Watcher in the Azure Portal.

2. Enable Flow Logs for the NSG.

3. Choose the Storage Account where the logs will be saved.

4. You can then use Azure Log Analytics to analyze the flow logs and determine which traffic is being allowed or denied by the NSG rules.

Flow logs help track traffic patterns and verify if NSG rules are behaving as expected.

Best Practices for Managing NSG Rules

• Use descriptive names for your rules (e.g., Allow-SSH, Deny-HTTP-External).

• Set priorities carefully: Ensure custom rules have appropriate priority numbers to avoid conflicts with default or other custom rules.

• Use Azure service tags (e.g., VirtualNetwork, Internet, AzureLoadBalancer) instead of IP addresses where possible, for easier management.

• Limit overly permissive rules: Avoid rules that allow traffic from * (any source), unless absolutely necessary.

• Use NSG Flow Logs to monitor traffic and adjust rules based on traffic patterns and security needs.

• Audit NSG rules regularly to ensure they align with your security policies.

By using these methods, you can thoroughly review the NSG rules in your Azure environment and ensure they are properly configured to secure your resources.

Summary of Methods

• Azure Portal: Use the GUI to review and manage rules.

• Azure CLI: Use the az network nsg rule list command to list rules in a resource group or NSG.

• Azure PowerShell: Use Get-AzNetworkSecurityRuleConfig to fetch NSG rules.

• ARM Template: Export and review the NSG's configuration, including rules, in JSON format.

• NSG Flow Logs: Enable flow logs via Network Watcher to analyze traffic that matches your NSG rules.

These methods allow you to determine the NSG rules configured in your Azure environment and inspect how traffic is being filtered based on those rules. You can use these tools for monitoring, troubleshooting, and ensuring that your network security posture is correct.