How network security groups filter network traffic
Network traffic to and from Azure resources in an Azure virtual network can be filtered using an Azure network security group. A network security group contains security rules that permit or prohibit outbound network traffic from certain Azure resource types as well as inbound network traffic to those resource types. You can define each rule’s source, destination, port, and protocol.
Resources from a variety of Azure services can be deployed into an Azure virtual network. See Services that can be installed into a virtual network for a comprehensive list. Each virtual network subnet and network interface in a virtual machine can have zero or one network security group assigned to them. You can assign the same network security group to as many network interfaces and subnets as you choose.
Different deployment possibilities for network security groups that permit network traffic to and from the internet over TCP port 80 are shown in the following image:
To comprehend how Azure handles inbound and outgoing rules for network security groups, refer to the preceding image and the text that follows:
Inbound traffic
If there is a network security group linked to a subnet, Azure processes its rules first. If there is a network security group linked to a network interface, Azure processes its rules second. This also applies to traffic within a single subnet.
1. VM1: Since VM1 is in Subnet1 and NSG1 is connected to Subnet1, the security rules in NSG1 are processed. Since NSG2 is linked to the network interface, it never evaluates traffic that is disallowed by the Deny All Inbound default security rule, unless a rule that permits port 80 inbounds has been defined. NSG2 processes the traffic if NSG1 has a security rule that permits port 80. Both NSG1 and NSG2 need to have a rule that permits port 80 from the internet to allow port 80 to the virtual machine.
2. VM2: Because VM2 is a part of Subnet1, the rules in NSG1 are applied to it. Since VM2’s network interface isn’t connected to a network security group, NSG1, it either receives or rejects all traffic allowed through NSG1. When a network security group is connected to a subnet, traffic is either permitted or forbidden to all resources in the same subnet.
3. VM3: Because NSG2 is linked to the network interface connected to VM3 and there is no network security group associated with Subnet2, traffic is let into the subnet and handled by NSG2.
4. VM4: Traffic to VM4 is permitted since Subnet3 or the virtual machine’s network interface isn’t connected to a network security group. If a subnet and network interface don’t have a network security group assigned to them, all network traffic is permitted via them.
Outbound traffic
If there is a network security group linked to a network interface, Azure executes the rules in that group first before processing the rules in a network security group linked to a subnet, if one exists. Traffic within a single subnet is also included.
1. VM1: The NSG2 security rules are being applied. The Allow Internet Outbound default security rule in both NSG1 and NSG2 permits the traffic unless you add a security rule that forbids port 80 outbound to the internet. The traffic is rejected if NSG2 has a security rule that forbids port 80, and NSG1 is never notified of this. Either one or both network security groups must have a rule that forbids port 80 from being used by the virtual machine.
2. VM2: Due to the lack of a network security group attached to the network interface attached to VM2, all traffic is routed through that interface to the subnet. The NSG1 rules are applied.
3. VM3: The transmission is blocked if NSG2 has a security rule that forbids using port 80. If not, traffic is permitted by the Allow Internet Outbound default security rule in NSG2 because Subnet2 isn’t connected to a network security group.
4. VM4: No network security group is linked to the network interface connected to the virtual machine or to Subnet3 so all network traffic from VM4 is permitted.
Intra-Subnet traffic
1. The connectivity between VMs inside a subnet may be impacted by security rules in an NSG connected with that subnet, it is crucial to know. Due to a default NSG rule that permits intra-subnet traffic, virtual machines within the same subnet can automatically connect with one another. VM1 and VM2 won’t be able to connect with one another if a rule is added to *NSG1 that forbids all inbound and outbound traffic.
2. Viewing the effective security rules for a network interface makes it simple to see the aggregate rules that have been applied to that interface. To ascertain whether the communication is permitted to or from a network interface, you may also use the IP flow check functionality in Azure Network Watcher. IP flow verification lets you know which network security rule allows or forbids traffic as well as if communication is permitted or not.
