Security Groups

PreviousAzure Security Services NextRouting Tables

Last updated 2 months ago

Security Groups

In Azure, Security Groups refer to Network Security Groups (NSGs), which are used to control inbound and outbound network traffic to network interfaces (NIC), virtual machines (VMs), and subnets. An NSG is a set of security rules that allow or deny traffic based on various parameters like source IP, destination IP, port, and protocol.

Key Features of Network Security Groups (NSGs):

Inbound and Outbound Rules: NSGs contain rules that define which traffic is allowed or denied to reach or leave resources. Rules can be applied at both the NIC level (VM) and subnet level.
Rule Priority: Each rule in an NSG has a priority (a number), and the lowest priority number is evaluated first. If a rule is matched, no further rules are processed.
Rule Definition: Each rule defines:
- Source: The origin of the traffic (e.g., IP address, CIDR block, or service tag).
- Destination: The target of the traffic (e.g., IP address, CIDR block, or service tag).
- Port Range: The port numbers (or range of ports) involved.
- Protocol: The type of traffic (e.g., TCP, UDP).
- Action: Allow or Deny.
Default Rules: NSGs come with a set of default rules, including allow all outbound traffic and deny all inbound traffic, though these can be overridden with custom rules.

Where NSGs Are Used:

Virtual Machine (VM): NSGs can be associated with individual VM network interfaces, controlling traffic to/from those VMs.
Subnets: NSGs can also be associated with subnets in a Virtual Network (VNet), controlling traffic for all resources within that subnet.

Example Use Cases:

Allowing HTTP (port 80) traffic to a web server.
Blocking access to a specific subnet from external IP addresses.
Allowing SSH (port 22) traffic only from a trusted IP range.

Application Security Groups

Application Security Groups (ASGs) in Azure are a way to simplify network security management by grouping virtual machines (VMs) or network interfaces (NICs) based on the application they belong to, instead of defining security rules by individual IP addresses or subnets.

Key Features:

Group VMs by Role: You can group VMs or NICs that share a similar role or function (e.g., all web servers) and apply security rules to the group.
Dynamic Membership: VMs are automatically added to an ASG based on their network interface or VM tag, without needing manual updates as resources are scaled or changed.
Simplified Rule Management: Instead of defining complex rules based on IP addresses, you can create rules that reference ASGs, making network security management easier and more scalable.

Use Case:

Simplify Rules: Instead of creating separate rules for each individual VM's IP address, you can create a security rule like "Allow traffic to the 'WebServers' ASG on port 80," which applies to all VMs grouped in the "WebServers" ASG.