Concepts | Deep Dive | Integrations | Best Practices | FAQs
Network Security Groups (NSGs) are Azure's primary network-level security filtering mechanism that acts as a virtual firewall to control inbound and outbound traffic to Azure resources. NSGs contain security rules that allow or deny network traffic based on source/destination IP addresses, ports, and protocols.
- Security Rules: Ordered list of allow/deny rules with priority values (100-4096)
- Default Rules: Built-in system rules that cannot be deleted but can be overridden
- Effective Security Rules: Computed result of NSG rules, subnet rules, and Azure platform rules
- Flow Logs: Detailed logging of traffic flows for security analysis and compliance
graph TD
A[Internet] --> B[Application Gateway/Load Balancer]
B --> C[Subnet NSG]
C --> D[Virtual Machine]
D --> E[NIC NSG]
E --> F[VM Network Interface]
G[NSG Rules Processing] --> H[Priority Order 100-4096]
H --> I[First Match Wins]
I --> J[Allow/Deny Action]
K[Default Rules] --> L[AllowVNetInBound]
K --> M[AllowAzureLoadBalancerInBound]
K --> N[DenyAllInBound]
K --> O[AllowVNetOutBound]
K --> P[AllowInternetOutBound]
K --> Q[DenyAllOutBound]
NSGs process rules in priority order (lowest number first) and apply first match wins policy. Once a rule matches, processing stops and the action (allow/deny) is applied.
Advanced architectural patterns and technical implementation details
NSGs can be associated at two levels:
- Subnet Level: Applies to all resources within the subnet
- Network Interface Level: Applies to specific VM network interfaces
sequenceDiagram
participant Traffic
participant SubnetNSG
participant NICNSG
participant VM
Traffic->>SubnetNSG: Inbound Traffic
SubnetNSG->>SubnetNSG: Evaluate Rules (Priority Order)
SubnetNSG->>NICNSG: If Allowed
NICNSG->>NICNSG: Evaluate Rules (Priority Order)
NICNSG->>VM: If Allowed
VM->>NICNSG: Outbound Traffic
NICNSG->>NICNSG: Evaluate Rules (Priority Order)
NICNSG->>SubnetNSG: If Allowed
SubnetNSG->>SubnetNSG: Evaluate Rules (Priority Order)
SubnetNSG->>Traffic: If Allowed
Service Tags: Predefined groups of IP addresses for Azure services
Internet, VirtualNetwork, AzureLoadBalancerStorage, Sql, KeyVault, EventHub- Regional variants:
Storage.EastUS, Sql.WestEurope
Application Security Groups (ASGs): Logical grouping of VMs for micro-segmentation
- Enable application-centric security policies
- Simplify rule management in complex environments
- Support for workload-based security rather than IP-based
| Feature |
NSG |
Azure Firewall |
| Scope |
Subnet/NIC level |
Network/Application level |
| Rule Types |
Allow/Deny only |
FQDN, Network, Application |
| Inspection |
Stateful L3-L4 |
Stateful L3-L7 |
| Threat Intelligence |
No |
Yes |
| FQDN Filtering |
No |
Yes |
| Cost |
Included |
Premium service |
| Logging |
Flow logs |
Comprehensive logs |
¶ Gotchas and Edge Cases
Common pitfalls that catch even experienced architects
- Default Rule Behavior: Default rules cannot be deleted, only overridden with higher priority
- Service Tag Updates: Service tags are automatically updated by Microsoft; custom IP ranges may become obsolete
- Cross-Region Limitations: NSGs cannot be moved between regions
- Rule Limits: Maximum 1000 rules per NSG (including default rules)
- Subnet Dependency: NSGs associated with subnets containing certain services (Application Gateway, Azure Firewall) have restrictions
¶ Azure Monitor and Log Analytics
NSG Flow Logs integrate with:
- Log Analytics Workspace: Centralized log storage and analysis
- Azure Monitor: Metrics and alerting on security rule hits
- Azure Sentinel: SIEM integration for security analytics
- Traffic Analytics: Visual network topology and flow analysis
NSGs are commonly deployed through:
- ARM Templates: Declarative resource definitions
- Bicep: Simplified ARM template language
- Terraform: Multi-cloud infrastructure provisioning
- Azure Policy: Governance and compliance enforcement
¶ Security and Compliance
graph LR
A[NSG] --> B[Azure Security Center]
A --> C[Azure Policy]
A --> D[Azure Defender]
B --> E[Security Recommendations]
C --> F[Compliance Reporting]
D --> G[Threat Detection]
¶ Automation and Orchestration
- Azure Resource Manager: Template-based deployment
- Azure Automation: Runbook-based management
- Logic Apps: Event-driven automation
- Azure Functions: Serverless security automation
Enterprise Multi-Tier Application
Scenario: Three-tier web application with web, application, and database layers
Architecture:
- Web tier: Allow HTTP/HTTPS from Internet, deny direct database access
- App tier: Allow traffic from web tier only, permit database connections
- Database tier: Allow traffic from app tier only, deny Internet access
NSG Strategy:
- Subnet-level NSGs for broad traffic control
- NIC-level NSGs for specific server hardening
- Application Security Groups for role-based micro-segmentation
Trade-offs:
- Increased complexity vs. enhanced security
- Management overhead vs. granular control
- Performance impact of multiple rule evaluations
Hub-and-Spoke Network Security
Scenario: Hub-and-spoke topology with centralized security services
Architecture:
- Hub VNet: Contains Azure Firewall, VPN Gateway, shared services
- Spoke VNets: Contains workloads with NSG-based micro-segmentation
- Peering: Hub-spoke connectivity with custom routing
NSG Strategy:
- Spoke NSGs: Workload-specific security rules
- Hub NSGs: Shared service protection
- Coordinated rule design to avoid conflicts with Azure Firewall
Limitations:
- Rule precedence complexity
- Troubleshooting distributed security policies
- Potential for rule conflicts between NSGs and Azure Firewall
¶ Best Practices and Cheat Sheet
Cheat Sheet Table
| Feature/Concept |
Summary |
| Priority Range |
100-4096 (lower number = higher priority) |
| Default Rules |
Cannot be deleted, priority 65000+ |
| Service Tags |
Use instead of IP ranges for Azure services |
| ASGs |
Group VMs logically for application-centric rules |
| Flow Logs |
Enable for security monitoring and compliance |
| Effective Rules |
View combined result of all applicable NSGs |
| Rule Limits |
1000 rules max per NSG |
| Processing |
First match wins, evaluation stops |
Best Practices
Design Principles:
- Implement defense-in-depth with both subnet and NIC-level NSGs
- Use Application Security Groups for complex environments
- Leverage service tags instead of hard-coded IP addresses
- Design rules with explicit deny-all as the final rule
- Implement least privilege access principles
Security Controls:
- Enable NSG Flow Logs for all production environments
- Use Azure Policy to enforce NSG deployment standards
- Implement automated rule validation and testing
- Regular review and cleanup of unused rules
- Monitor effective security rules for conflicts
Configuration Advice:
- Document rule purposes and business justifications
- Use consistent naming conventions for rules and NSGs
- Implement rule versioning and change management
- Test rule changes in non-production environments first
- Use Azure Resource Graph for NSG inventory and compliance
What to Avoid:
- Don't rely solely on NSGs for application security
- Avoid overly permissive rules (0.0.0.0/0 sources)
- Don't ignore default rule implications
- Avoid duplicate rules across multiple NSGs
- Don't forget to enable logging and monitoring
Common interview questions with detailed answers
Q: What happens when a VM has both subnet-level and NIC-level NSGs?
A: Traffic must pass through both NSG evaluations. For inbound traffic, subnet NSG is evaluated first, then NIC NSG. For outbound traffic, NIC NSG is evaluated first, then subnet NSG. Each NSG independently applies its rules using first-match-wins logic.
Q: How do NSGs differ from Azure Firewall in terms of security capabilities?
A: NSGs operate at Layer 3-4 with basic allow/deny rules based on IP, port, and protocol. Azure Firewall provides Layer 7 application-level filtering, FQDN-based rules, threat intelligence, and integrated logging. NSGs are included in VM costs, while Azure Firewall is a premium service with additional licensing.
Q: What are the implications of NSG default rules?
A: Default rules have priorities 65000+ and cannot be deleted. They allow VNet-to-VNet traffic, Azure Load Balancer health probes, and outbound Internet access while denying all other inbound traffic. These can be overridden with custom rules having higher priority (lower numbers).
Q: How do Service Tags help with NSG management?
A: Service Tags represent groups of IP addresses for Azure services that are automatically maintained by Microsoft. They eliminate the need to hard-code IP ranges that may change over time. Examples include Storage, Sql, Internet, and regional variants like Storage.EastUS.
Q: What is the difference between NSG Flow Logs and Azure Monitor NSG metrics?
A: Flow Logs capture detailed information about individual traffic flows (source/destination IPs, ports, protocols, allow/deny decisions) stored in Azure Storage. NSG metrics in Azure Monitor provide aggregated statistics like rule hit counts and packet/byte counters for alerting and dashboards.
Q: How do Application Security Groups enhance NSG functionality?
A: ASGs allow grouping of VMs based on application roles rather than IP addresses. This enables micro-segmentation policies that remain consistent even when VMs are added, removed, or change IP addresses. Rules reference ASGs instead of individual IP addresses, simplifying management in dynamic environments.
NSG rule evaluation has minimal latency impact, but complex rule sets can affect performance:
- Rule Optimization: Place frequently matched rules with higher priority
- Rule Consolidation: Combine similar rules using port ranges and service tags
- Monitoring: Track rule hit counts to identify unused or ineffective rules
- Flow Logs Storage: Implement lifecycle policies for log retention
- Rule Efficiency: Minimize rule count through consolidation
- Monitoring Costs: Balance logging detail with storage costs
Micro-segmentation Pattern:
graph TD
A[Web ASG] --> B[App ASG]
B --> C[Database ASG]
D[Management ASG] --> A
D --> B
D --> C
E[Monitoring ASG] --> A
E --> B
E --> C
Layered Security Pattern:
- Perimeter security (Azure Firewall/Application Gateway)
- Network security (NSGs)
- Host security (endpoint protection)
- Application security (authentication/authorization)
- Effective Security Rules: Use Azure portal to view combined rule evaluation
- Connection Troubleshoot: Leverage Network Watcher for connectivity testing
- Flow Logs Analysis: Correlate denied traffic with security events
- Rule Simulation: Test rule changes before deployment
NSGs play a crucial role in Zero Trust implementation:
- Verify Explicitly: Use NSGs to enforce network-level access controls
- Least Privilege: Implement granular rules based on application requirements
- Assume Breach: Layer NSGs with other security controls for defense-in-depth
This guide provides comprehensive coverage of Azure Network Security Groups for senior-level Azure architect interviews. Focus on understanding the architectural implications, integration patterns, and real-world implementation challenges.