Create and configure NSG inbound and outbound rules

5.1 Network Security Groups (NSGs) and ASGs

📘Microsoft Azure Networking Solutions (AZ-700)

Overview

A Network Security Group (NSG) in Azure is like a digital firewall for your virtual network. It controls network traffic to and from resources (like virtual machines, subnets, or NICs).

NSGs use rules to allow or deny traffic based on:

  • Source (where the traffic comes from)
  • Destination (where the traffic goes)
  • Port (which service/port the traffic is trying to reach)
  • Protocol (TCP, UDP, or Any)

NSG Components

  1. Inbound rules – control incoming traffic to a resource.
  2. Outbound rules – control outgoing traffic from a resource.

Each rule has a priority number, a name, protocol, source, destination, port range, and action (allow/deny).

Step 1: Understand Rule Priority

  • NSG rules are processed by priority numbers, from lowest (100) to highest (4096).
  • A lower number means higher priority.
  • Once a packet matches a rule, the NSG stops processing further rules.
  • Example priorities:
    • 100–499: Custom rules
    • 65000–65500: Default rules (deny by default or allow basic traffic)

For the exam, remember: lower priority wins.

Step 2: Default NSG Rules

Every NSG has default rules, which cannot be deleted but can be overridden by custom rules:

DirectionRule NameActionPurpose
InboundAllowVNetInBoundAllowAllows VMs within the same VNet to talk
InboundAllowAzureLoadBalancerInBoundAllowAllows Azure Load Balancer health probes
InboundDenyAllInboundDenyDenies all other incoming traffic
OutboundAllowVNetOutBoundAllowAllows outbound to other VMs in the same VNet
OutboundAllowInternetOutBoundAllowAllows outbound to the internet
OutboundDenyAllOutboundDenyDenies all other outgoing traffic

Exam tip: Default rules exist, and you can override them with custom rules.

Step 3: Creating NSG Rules

When creating custom rules, you need to specify:

  1. Name – e.g., Allow-SSH
  2. Priority – e.g., 100 (important for ordering)
  3. Direction – inbound or outbound
  4. Source – IP range, subnet, or application security group (ASG)
  5. Destination – IP range, subnet, VM, or ASG
  6. Protocol – TCP, UDP, or Any
  7. Port Range – specific port (e.g., 22 for SSH) or range (80-443)
  8. Action – Allow or Deny

Example: Inbound Rule

  • Purpose: Allow SSH traffic to a VM
  • Direction: Inbound
  • Source: Any
  • Destination: VM’s NIC or subnet
  • Protocol: TCP
  • Port: 22
  • Action: Allow
  • Priority: 100

Example: Outbound Rule

  • Purpose: Block all outbound traffic to a specific IP
  • Direction: Outbound
  • Source: VM subnet
  • Destination: Specific IP (e.g., 10.1.1.10)
  • Protocol: Any
  • Port: Any
  • Action: Deny
  • Priority: 200

Exam tip: You must know how inbound and outbound rules differ and that direction matters.

Step 4: Configure NSG Rules in the Portal

  1. Go to Azure Portal → Network Security Groups.
  2. Select the NSG you want.
  3. Go to Inbound Security Rules or Outbound Security Rules.
  4. Click Add.
  5. Fill in the fields: name, priority, source, destination, protocol, port, and action.
  6. Click Save.

Important: Changes are applied immediately, no need to restart VMs.

Step 5: Best Practices for NSG Rules

  1. Use lowest priority numbers for critical rules.
  2. Use ASGs when you want rules applied to a group of VMs, not individual IPs.
  3. Limit source/destination when possible (don’t use Any unless needed).
  4. Audit rules regularly to avoid conflicts.
  5. Use descriptive names for clarity (e.g., Allow-HTTP-Inbound).

Step 6: Exam Key Points

  • Inbound rules: Control traffic coming into a resource.
  • Outbound rules: Control traffic leaving a resource.
  • Priority numbers: Lower number = higher priority.
  • Action: Allow or Deny.
  • Default rules exist but can be overridden.
  • ASGs can be used as source/destination in rules.
  • Direction matters – inbound vs outbound.

Remember, for the exam, you may be asked to:

  • Create an NSG rule to allow or block traffic.
  • Determine which rule takes precedence.
  • Decide whether the rule should be inbound or outbound.

Summary Table: Inbound vs Outbound

FeatureInboundOutbound
DirectionTraffic coming to the VMTraffic leaving from the VM
Exam focusAllow access (e.g., SSH, HTTP)Control outgoing traffic (e.g., block malicious IPs)
Default ruleDeny all inbound (except VNet/Load Balancer)Deny all outbound (except VNet/Internet)
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by