Network Security Groups

1.3 Summarize cloud concepts and connectivity options

📘CompTIA Network+ (N10-009)

1. What is a Network Security Group?

A Network Security Group (NSG) is basically a virtual firewall in cloud environments, like Azure, AWS, or other cloud services. It controls the traffic that can flow to and from resources in a virtual network.

Think of NSGs as a filter that allows or blocks network traffic based on rules. These rules are called security rules.

  • Traffic: Any data moving across the network, such as requests to a web server or database.
  • Resources: Virtual machines (VMs), virtual networks (VNet), subnets, or cloud services.

2. Where NSGs are used

NSGs are applied to:

  1. Subnets – Entire groups of VMs in a virtual network.
  2. Individual Network Interfaces (NICs) – Specific VMs or servers.

Example: You can allow only HTTP (port 80) and HTTPS (port 443) traffic to your web server while blocking everything else.

This means NSGs are flexible: they can protect the whole subnet or just a single VM.

3. How NSGs work

NSGs work based on rules that allow or deny traffic. Each rule has:

ElementDescription
SourceWhere the traffic is coming from (IP address, IP range, or tag like “VirtualNetwork”)
DestinationWhere the traffic is going (VM, subnet, IP address, or service)
Port/ProtocolWhich type of traffic (TCP, UDP) and port number (like 22 for SSH, 3389 for RDP)
ActionAllow or Deny
PriorityEach rule has a number; lower numbers take priority
DirectionInbound (coming to VM) or Outbound (going out from VM)

Example Rule:

  • Inbound traffic
  • Source: Any (0.0.0.0/0)
  • Destination: WebServerVM
  • Protocol: TCP
  • Port: 443 (HTTPS)
  • Action: Allow
  • Priority: 100

This rule allows anyone on the internet to access your web server over HTTPS.

4. Default behavior

Every NSG comes with default rules:

  1. Allow VNet traffic – Traffic inside the same virtual network is allowed.
  2. Allow Internet outbound traffic – Resources can reach the internet.
  3. Deny all inbound traffic – If no specific rule allows it, incoming traffic is blocked.

Important: The default rules exist even if you don’t create your own rules. They ensure minimal functionality while keeping your cloud resources secure.

5. Why NSGs are important

  1. Security – They help prevent unauthorized access to your cloud resources.
  2. Segmentation – You can control traffic for specific parts of the network.
  3. Compliance – Helps meet regulatory requirements by controlling network access.
  4. Flexibility – You can create different rules for different resources.

Example: A database server can allow traffic only from the web server, while the web server allows traffic from anywhere.

6. Common use cases

Here are real IT examples of how NSGs are used:

  1. Web Application Protection
    • Only allow HTTP (80) and HTTPS (443) traffic to the web server.
    • Block all other ports to prevent hackers from accessing the server.
  2. Database Security
    • Only allow traffic from the app server to the database on port 1433 (SQL Server) or 3306 (MySQL).
    • Block all internet traffic to the database server.
  3. VM Remote Management
    • Allow SSH (22) for Linux VMs and RDP (3389) for Windows VMs from specific IP addresses (like your office IP).
    • Deny access from the rest of the world.

7. NSG vs Traditional Firewall

FeatureNSGTraditional Firewall
LayerLayer 3 & 4 (IP & TCP/UDP)Layer 3–7 (includes application layer)
LocationCloud, applied to subnet or NICPhysical appliance or software
FlexibilityApplied per VM or subnetUsually applies to the whole network
RulesAllow or deny trafficCan do deep packet inspection, logging

Tip for Exam: NSGs are not stateful application firewalls, they are network-level controls.

8. Key Terms for the Exam

  • Inbound/Outbound rules – Decide what traffic can enter or leave a VM/subnet.
  • Priority – Lower number rules are processed first.
  • Default rules – Pre-configured rules applied automatically.
  • Security rule – A rule that allows or denies traffic.
  • Network Interface / Subnet – Places where NSGs can be applied.

Exam Tip:

  • NSGs allow you to control access at a granular level in the cloud.
  • Always remember: priority, direction, source/destination, and port/protocol are crucial for creating rules.
  • You might be asked “which NSG rule allows inbound HTTPS to a VM?” or “what happens if no rules match?” – the answer is the default deny rule applies.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by