Azure Network Security Groups
By Pooja | 18th July 2025
Introduction
In any cloud-based environment, securing network traffic is fundamental. Microsoft Azure offers Network Security Groups (NSGs) as a powerful and flexible tool to control inbound and outbound traffic to Azure resources.
Whether you’re deploying a simple web app or a complex multi-tier cloud architecture, NSGs act as your cloud-native firewall at the subnet or VM level, allowing or denying traffic based on a rich set of rules.
This guide explores Azure NSGs in depth, helping you understand how they work, how to configure them securely, and how to optimize traffic control in your virtual networks.
What is a Network Security Group (NSG)?
An Azure Network Security Group (NSG) is a stateful, rule-based traffic filter used to control network traffic to and from Azure resources.
An NSG contains a list of security rules that allow or deny inbound/outbound traffic based on:
- Source/destination IP address
- Port number
- Protocol (TCP/UDP)
NSGs are free to use and can be associated with:
- Subnets: Apply to all resources in the subnet
- Network interfaces (NICs): Apply only to specific virtual machines
Why Use NSGs in Azure?
Key Benefits:
- Granular Traffic Control: Apply rules at the subnet or individual VM level
- Cost-Effective: Included at no extra cost
- Integrated Security: Works with Azure Monitor, Network Watcher, and Azure Policy
- Scalability: Supports hundreds of rules per NSG
- Simplicity: Easy to configure and manage via Portal, CLI, or Terraform
By using NSGs, you can implement zero trust networking, microsegmentation, and enforce security boundaries in your Azure deployments.
NSG Architecture and Concepts
Core Components:
- Security Rules: Define whether to allow/deny traffic.
- Priority: Determines which rule is applied first (lower number = higher priority).
- Direction: Inbound or outbound.
- Access: Allow or Deny.
- Source/Destination: IP addresses, service tags, or ASGs.
- Port: Target TCP/UDP port or range.
- Protocol: TCP, UDP, or Any.
Each NSG can contain up to 1000 rules (default + custom). Azure automatically includes default rules for basic networking.
Inbound and Outbound Rules
Inbound Rules
Control traffic coming into a VM or subnet.
Example: Allow HTTP (TCP 80) from the internet to a web server VM.
Outbound Rules
Control traffic leaving the VM or subnet.
Example: Allow outbound traffic from the app server to a database on TCP 1433.
NSG Rule Prioritization and Default Rules
Priority
- Values range from 100 to 4096
- Lower number = higher priority
- Rules are evaluated top-down
Default Rules (Cannot be deleted):
Name | Direction | Action | Purpose |
AllowVnetInBound | Inbound | Allow | Allow communication within the VNet |
AllowAzureLoadBalancer | Inbound | Allow | Allow health probes |
DenyAllInBound | Inbound | Deny | Deny all other inbound traffic |
AllowVnetOutBound | Outbound | Allow | Allow internal outbound communication |
AllowInternetOutBound | Outbound | Allow | Allow outbound internet traffic |
DenyAllOutBound | Outbound | Deny | Deny all other outbound traffic |
You must create custom rules above default rules to override them.
Associating NSGs with Subnets and NICs
You can apply NSGs to:
- Subnets
- Controls traffic to all resources in the subnet
- Best for network-wide security policies
- NICs
- Controls traffic to a specific VM
- Ideal for exceptions or fine-grained control
Effective NSG = Subnet NSG + NIC NSG
Rules are combined, and more restrictive rules apply.
NSGs vs Azure Firewall
Feature | NSG | Azure Firewall |
Layer | Network layer | Application & network layer |
Stateful | Yes | Yes |
NAT Support | No | Yes |
FQDN Filtering | No | Yes |
Logging | Basic (Flow logs) | Advanced with insights |
Cost | Free | Paid |
Best For | Basic traffic control | Advanced filtering, DNAT/SNAT |
Use NSGs for basic rule enforcement. Use Azure Firewall for application-level filtering, centralized control, and DNS-based filtering.
NSG Logging and Monitoring
Enable flow logging using Network Watcher:
- NSG Flow Logs: Show allowed/denied traffic
- Traffic Analytics: Visualize patterns in Azure Monitor
- Effective Security Rules: View active rules for a VM or NIC
Logging helps with:
- Auditing traffic
- Troubleshooting connectivity
- Compliance monitoring
Service Tags and Application Security Groups
- Service Tags
Abstract IP ranges for common services:
- Internet, VirtualNetwork, AzureLoadBalancer, Storage, Sql, etc.
Example: Allow outbound to AzureSql on port 1433.
- Application Security Groups (ASGs)
Group VMs logically (e.g., “web servers”) and reference in NSGs instead of IPs.
Benefits:
- Dynamic grouping
- Cleaner rules
- Easier management for large environments
Real-world Use Cases
- Web Application Tiers
- Allow HTTP/HTTPS only to web subnet
- Web can talk to app subnet on port 8080
- App can talk to DB subnet on port 1433
- Bastion Access
Allow only port 3389 (RDP) or 22 (SSH) from a specific jumpbox subnet or IP range.
- Block External Outbound
Prevent VMs from accessing the public internet.
- Isolated Batch Jobs
Allow outbound to Azure Storage but block internet access entirely.
Common Pitfalls and Limitations
- Overlapping rules may cause unexpected behaviors
- Too permissive rules (e.g., Allow : from Internet) increase attack surface
- Cannot filter traffic by FQDN or domain name (use Azure Firewall instead)
- NSGs are region-specific and cannot span subscriptions by default
- Difficult to manage in large, dynamic environments without ASGs
Best Practices for NSG Management
- Apply NSGs at the subnet level where possible
- Use ASGs and service tags to simplify rules
- Follow least privilege principle—deny by default
- Review flow logs periodically for anomalies
- Separate inbound and outbound rules logically
- Tag and document rules for clarity
- Automate deployment using ARM, Bicep, or Terraform
Pricing and Cost
NSGs are free to use—there is no cost for the resource itself.
You only pay for:
- Data transfer charges if traffic crosses regions or public endpoints
- Storage costs for logs (if flow logging is enabled)
This makes NSGs cost-efficient for enforcing network security in Azure.
More deep into this topic Azure NAT Gateway
Conclusion
Azure Network Security Groups (NSGs) provide a vital, built-in toolset to manage and secure traffic in your Azure environment. Whether you’re isolating workloads, enforcing zero-trust networking, or simply restricting internet access, NSGs deliver a flexible and powerful way to control access at both the subnet and VM level.
By understanding how to configure, monitor, and apply best practices with NSGs, you gain a highly scalable, cost-effective, and robust network security solution for your Azure workloads.
In combination with other Azure services like ASGs, service tags, and Azure Firewall, NSGs help ensure that your cloud deployments meet the highest standards for availability, performance, and security.