Evaluate effective security rules in NSGs

Configure secure access to virtual networks

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What are NSGs and Security Rules?

Network Security Groups (NSGs) are like a firewall for Azure virtual networks (VNets). They control inbound (coming into a VM) and outbound (going out from a VM) traffic at the subnet level or network interface level.

Each NSG contains security rules that either allow or deny traffic based on:

  • Source: Where the traffic is coming from (IP address, subnet, or tag like Internet, VirtualNetwork, or AzureLoadBalancer).
  • Destination: Where the traffic is going (IP address, subnet, VM).
  • Protocol: TCP, UDP, or Any.
  • Port: Specific port(s) like 80 (HTTP) or 443 (HTTPS).
  • Priority: A number that determines the order rules are applied (lower numbers have higher priority).
  • Action: Allow or Deny.

2. What Does “Effective Security Rules” Mean?

When a VM or subnet has multiple NSGs applied (or multiple rules within a single NSG), Azure evaluates all the rules to determine whether traffic is allowed or denied.

The effective security rules are the final set of rules that actually apply to the VM’s network interface. This helps administrators see which rule is taking effect when multiple rules might conflict.

Think of it as the net effect after Azure calculates all NSG rules.

3. How Azure Evaluates NSG Rules

Here’s how Azure determines the effective rules:

  1. Collect all NSGs applied to the VM’s network interface and subnet.
  2. Combine the rules from all NSGs into a single set.
  3. Order rules by priority (smallest number = highest priority).
  4. Apply rules one by one until a match is found:
    • If a packet matches a rule, that rule’s action (Allow/Deny) is applied.
    • If no match is found, Azure uses default rules.

Default NSG Rules

Every NSG has three default rules that always exist:

DirectionNamePriorityActionDescription
InboundAllowVNetInBound65000AllowAllows traffic inside the VNet.
InboundAllowAzureLoadBalancerInBound65001AllowAllows traffic from Azure LB.
InboundDenyAllInbound65500DenyDenies everything else coming in.
OutboundAllowVNetOutbound65000AllowAllows traffic inside the VNet.
OutboundAllowInternetOutbound65001AllowAllows traffic to the Internet.
OutboundDenyAllOutbound65500DenyDenies everything else going out.

Important: These default rules are applied after any custom rules. Custom rules with higher priority (lower number) override defaults.

4. How to View Effective Security Rules

Azure provides an easy way to see which rules are applied:

  1. Go to the Azure portal.
  2. Navigate to the VM you want to check.
  3. Go to NetworkingEffective security rules.

Here, you’ll see:

  • Rule name
  • Priority
  • Direction (Inbound/Outbound)
  • Source / Destination
  • Protocol / Port
  • Action (Allow/Deny)
  • Applied NSG (which NSG the rule came from)

This is useful for troubleshooting connectivity issues. For example, if a VM can’t receive HTTP traffic on port 80, you can check effective rules to see if a Deny rule is blocking it.

5. Example Scenario

Imagine you have a VM with these NSGs:

  • Subnet NSG: Allows TCP traffic on port 443.
  • NIC NSG: Denies TCP traffic on port 443.

Effective rules result:

  • The NIC NSG Deny rule takes effect because Azure evaluates all NSGs, and the more restrictive Deny rule applies.
  • Traffic on port 443 is blocked, even though the subnet NSG allows it.

6. Key Exam Points to Remember

  • Effective rules = final set of rules applied to a VM.
  • Priority matters: lower numbers are higher priority.
  • Deny rules override Allow rules if priority is equal or lower.
  • Multiple NSGs are combined for the final evaluation.
  • Default rules exist, and custom rules override them if priority is higher.
  • Use “Effective security rules” in Azure portal to troubleshoot connectivity.

7. Tips for the Exam

  • Be able to read a table of NSG rules and determine if traffic is allowed or denied.
  • Understand how multiple NSGs and priorities work together.
  • Know the default NSG rules and their priorities.
  • Remember: effective security rules are what really matters for network access, not just individual NSG rules.

This topic is very exam-focused because Microsoft often asks:

“Given these NSG rules and priorities, is traffic allowed or denied?”

Being able to analyze and evaluate effective rules is key to passing this section.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by