What is Azure Network Security Group (NSGs)? An Overview
An Azure security group is simply a set of access control rules, utilized to secure a subnet or a virtual network. The rules scrutinize incoming and outgoing traffic to select a package or reject one if necessary.
It is made up of two layers. They are the VM-level Network Security Group and the subnet-level Network Security Group. In other words, Azure Network Security Group (NSG) is a fully managed service, which aids in filtering and polishing traffic to and from Azure VNet.
The assortment of security rules can be enabled or disabled by a client in accordance with his or her choice. It makes use of distinct attributes like, source and destination port, source and destination IP, protocol, priority, direction (whether traffic is incoming or outgoing) and action to find out if the package should be accepted or rejected.
Network Security Group rules
After the security group is created, its individual rules can be managed. A rule signifies whether a network traffic is harmless and whether it should be allowed to pass through the network or rejected. The components and properties of the rule are:
Name – A distinctive name, so that the administrators are easily able to locate the rule.
Priority – It’s a special number between 100 and 4096, which indicates the processing order of the rule. Accordingly, The lower the number of the rule, the higher is the priority for its execution.
Source or destination – This denotes that for which user, users or application is the rule meant for. It can be an Azure resource, IP address range, individual IP address, service tag or application security group.
Protocol – They are, Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP) to be assessed eventually.
Direction – This means that whether the rule is applicable to incoming or outgoing traffic.
Port Range – This specifies the port or range of ports the rule pertains to.
Action – This is to let the traffic through by setting “Allow”, or blocking it by setting “Deny”.
Azure Network Security Group Best Practices
The collection of best practices enhance network security. The best practices are acquired from experience with Azure networking and also from the experiences of the clientele. Some of them are,
1. A function called flow logging or network interface logging level, is offered in the Azure network observer for Network Security Groups.
2. Right after flow logging is activated, logs are transferred to the storage server that was specified during set up.
3. The flow log’s data is seen in JavaScript Object Notation (JSON) format.
4. The result exhibits flow for both incoming or outgoing traffic on a per-basis-rule basis.
5. One of the most appropriate technical methods for Azure network security groups is prioritizing of Network Security Group rules.
6. Each new rule is added bit by bit, while the NSG rules are deployed in a priority sequence from 100 to 4097.
7. Rules are evaluated at the micro level.
8. Every rule is observed in an order of importance. In case the first rule suits the traffic then the other rules are not further scrutinized.
9. A proper naming practice from the start may highly streamline the process of support, although it may appear as unnecessary.
10. On most occasions, one NSG can be combined with multiple Network Interface Cards (NIC), Subnets and also VNets.
11. An NSG has a maximum of 1000 rules and by default 100 rules, when there is a request for support. Multiples are not required, if this limit is not surpassed.
Inference
An Azure Security Group finds favour with users because it aids in swiftly and effortlessly controlling network security. Notwithstanding the teething problems of configuration, while the process becomes seamless with the help of service tags and application security groups.