Code Library

When you create a VM, by default it’s going to ask you to create a Network Security Group (NSG). You don’t have to create one. You can create your VMs in Azure and network them together without an NSG. However, if a VM has a public IP address, it is hosted on the public Internet, making it subject to attack. This means there is nothing protecting your VMs except the internal Windows firewall.

Microsoft created NSGs to provide a flexible method for defining the access rules allowing traffic into and out of a VM in a VNet—or even an entire subnet in the VNet. When a Windows Server with a public IP address is created in the portal, an NSG is created that blocks all inbound Internet traffic except RDP on port 3389. Similarly, for a Linux VM with a public IP address, the default NSG created blocks all inbound traffic from the Internet except SSH on port 22. You have to specifically open any other ports you want open, including HTTP and HTTPS. If you do nothing, you are protected by default. The same set of rules can be applied to a single VM or multiple VMs. You can also apply an NSG to a subnet, which applies it to all of the VMs in that subnet.

For example, let’s say you have four VMs running front-end applications. These connect to eight back-end servers that consist of web services and database servers. You could create one NSG that says “allow access to/from the public Internet, and access to the back end” and apply that to all the front-end VMs. Then, you can create another NSG that says “allow access from these four front-end servers, and allow access to the internal Azure services, but don’t allow access to the public Internet” and apply it to the back-end servers. The back-end servers will not be accessible from the public Internet. Note that NSGs are actually applied to a NIC attached to a VM (rather than the VM itself). If a VM has multiple NICs, the NSG needs to be applied separately to each NIC.

If we later add two front-end servers to our resources, we can simply assign them to the same NSG as the other front-end servers and add the new servers to the allowed servers for the back end. This allows you to implement changes with no updates to the running VMs themselves.

How are the rules applied? You can apply an NSG to a VM or to a subnet in a VNet. When you apply an NSG to a subnet, it applies it to all of the VMs in that subnet. For incoming traffic, the rules are applied before the traffic enters the VM. For outgoing traffic, they are applied after the traffic leaves the VM. This means the rules cannot be changed by a user process on the VM or even by the operating system because the rules are external to the VM.

Source of Information : Microsoft Azure Essentials Fundamentals of Azure Second Edition