Network Security Group
- Control the flow of traffic into and out of the VM
- The Network Security Group is
attached to the NICor theattached to the entire subnet - NSG associated with the subnet are evaluated first!
Inbound Security Rules: flow into the VMOutbound Security Rules: flow out of the VM- The
NSGcan be completely detached from the NIC. This way the NIC will be completely open
Security rules
-
Rule specification
-
Priority: Priority of the rule to be applied Port: specific port or port ranges (50-100)Protocol: protocol to allow/deny-
Source and Destination: IP or CIDR range -
Default Inbound rules
-
AllowVnetInBound: Any VM can communication with other VM within the same network AllowAzureLoadBalancerInBound: VMs can communicate with the LB-
DenyAllInBound: Deny all other inbound traffic -
Default Outbound rules
-
AllowVnetOutBound: Allow all traffic within a network AllowInternetOutBound: Allow traffic to the internet-
DenyAllOutBound: All other traffic is denied -
When specifying a destination IP rule, the
private ipmust be used. Azure translates it to public IP
NSG for subnets
- The rules for NSG attached to the subnet apply first!
- A NSG can be associated to a subnet under the
Subnets tab
ICMP Traffic
- A
pingrequest is based on theICMP protocol, therefore it must be allowed as inbound rule