Network Security Group

Azure Network Security Group (NSG) is a security feature that enables users to control network traffic to resources in an Azure Virtual Network. NSG acts as a virtual firewall, allowing or denying network traffic based on user-defined rules. Azure NSG provides a way to filter network traffic at the subnet or virtual machine level within a virtual network. It allows users to create inbound and outbound security rules that define the traffic that is allowed or denied based on criteria such as source IP address, destination IP address, protocol, and port number. NSG rules can be applied to a virtual network subnet or a specific virtual machine. Users can create custom rules to allow or deny traffic, and can also use pre-defined rules provided by Azure. NSG also integrates with Azure Application Security Groups, enabling users to create rules based on application and workload-specific requirements. Azure NSG provides an additional layer of security to Azure Virtual Networks, allowing users to implement granular security policies to control inbound and outbound traffic to their resources. It helps protect against network-based attacks and unauthorized access to resources, making it an important component of network security in Azure.‍

Terraform Name

azurerm_network_security_group

attributes:

The following arguments are supported:

name - (Required) Specifies the name of the network security group. Changing this forces a new resource to be created.
resource_group_name - (Required) The name of the resource group in which to create the network security group. Changing this forces a new resource to be created.
location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
security_rule - (Optional) List of objects representing security rules, as defined below.

NOTE

Since security_rule can be configured both inline and via the separate azurerm_network_security_rule resource, we have to explicitly set it to empty slice ([]) to remove it.

tags - (Optional) A mapping of tags to assign to the resource.

A security_rule block support:

name - (Required) The name of the security rule.
description - (Optional) A description for this rule. Restricted to 140 characters.
protocol - (Required) Network protocol this rule applies to. Possible values include Tcp, Udp, Icmp, Esp, Ah or * (which matches all).
source_port_range - (Optional) Source Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if source_port_ranges is not specified.
source_port_ranges - (Optional) List of source ports or port ranges. This is required if source_port_range is not specified.
destination_port_range - (Optional) Destination Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if destination_port_ranges is not specified.
destination_port_ranges - (Optional) List of destination ports or port ranges. This is required if destination_port_range is not specified.
source_address_prefix - (Optional) CIDR or source IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. This is required if source_address_prefixes is not specified.
source_address_prefixes - (Optional) List of source address prefixes. Tags may not be used. This is required if source_address_prefix is not specified.
source_application_security_group_ids - (Optional) A List of source Application Security Group IDs
destination_address_prefix - (Optional) CIDR or destination IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. This is required if destination_address_prefixes is not specified.
destination_address_prefixes - (Optional) List of destination address prefixes. Tags may not be used. This is required if destination_address_prefix is not specified.
destination_application_security_group_ids - (Optional) A List of destination Application Security Group IDs
access - (Required) Specifies whether network traffic is allowed or denied. Possible values are Allow and Deny.
priority - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
direction - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are Inbound and Outbound.

‍

Associating resources with a

Network Security Group

Resources do not "belong" to a

Network Security Group

Rather, one or more Security Groups are associated to a resource.

Create

Network Security Group

via Terraform:

The following HCL manages a network security group that contains a list of network security rules

Syntax:

resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}

resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name

security_rule {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}

tags = {
environment = "Production"
}
}

Create

Network Security Group

via CLI:

Parameters:

az network nsg create --name
--resource-group
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--tags]

Example:

az network nsg create -g MyResourceGroup -n MyNsg --tags foo=bar

Costs

Direct Cost

Indirect Cost

No items found.

Best Practices for

Network Security Group

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization