Network Security Groups (NSG) filters network traffic to and from Azure resources in an Azure virtual network. A Network Security Group(NSG) contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, there are source and destination, port, and protocol.
A Network Security Groups (NSG) controls the network traffic to and from Azure resources in an Azure virtual network. A Network Security Group(NSG) contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. Each rule is specified with following propertie
- Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
- Source or destination: Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example).
- Protocol: TCP, UDP, or Any, which includes TCP, UDP, and ICMP. You cannot specify ICMP alone, so if you require ICMP, use Any.
- Direction: Whether the rule applies to inbound, or outbound traffic.
- Port/Port Range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules.
- Action: Allow or deny
By default for any port, NSG allows all traffic from Virtual network to Virtual Network, allows all traffic from AzureLoadBalancer to any host and denies all traffic from any other source to any host.
