You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
A Network Security Group (NSG) is a stateful firewall that filters inbound and outbound traffic to Azure resources. NSGs are one of the most important tools for securing your Azure networks. They contain a list of security rules that allow or deny traffic based on source, destination, port, and protocol.
An NSG is a collection of rules evaluated in priority order (lowest number = highest priority). When traffic matches a rule, that rule's action is applied and no further rules are checked.
NSGs are stateful: if you allow an inbound request, the response is automatically allowed without needing a separate outbound rule.
NSGs can be associated with:
Every NSG includes three immutable default inbound rules and three default outbound rules:
| Priority | Name | Action |
|---|---|---|
| 65000 | AllowVnetInBound | Allow traffic from any VNet resource |
| 65001 | AllowAzureLoadBalancerInBound | Allow health probes from Azure Load Balancer |
| 65500 | DenyAllInBound | Deny all other inbound traffic |
| Priority | Name | Action |
|---|---|---|
| 65000 | AllowVnetOutBound | Allow traffic to any VNet resource |
| 65001 | AllowInternetOutBound | Allow outbound internet traffic |
| 65500 | DenyAllOutBound | Deny all other outbound traffic |
You cannot delete or modify these default rules, but you can override them by creating rules with a lower priority number (higher priority).
Each rule has the following properties:
| Property | Description |
|---|---|
| Name | Unique name within the NSG |
| Priority | 100–4096. Lower number = evaluated first |
| Direction | Inbound or Outbound |
| Action | Allow or Deny |
| Source | IP address, CIDR range, service tag, or ASG |
| Source port | Single port, range, or * (any) |
| Destination | IP address, CIDR range, service tag, or ASG |
| Destination port | Single port, range, or * (any) |
| Protocol | TCP, UDP, ICMP, ESP, AH, or * (any) |
Service tags represent groups of IP addresses for Azure services. They are managed by Microsoft and updated automatically, removing the need to maintain long lists of IP ranges.
Common service tags:
| Tag | Represents |
|---|---|
Internet | All public internet IP addresses |
VirtualNetwork | VNet address space plus peered VNets and VPN |
AzureLoadBalancer | Azure health probe IP |
Storage | Azure Storage IP ranges |
Sql | Azure SQL Database IP ranges |
AzureActiveDirectory | Microsoft Entra ID endpoints |
AzureMonitor | Azure Monitor and Log Analytics |
You can also use regional service tags like Storage.UKSouth to restrict traffic to a specific region.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.