A network security group in Azure can be used to filter network traffic to and from Azure resources within a virtual network in Azure. A network security group contains security rules that allow or deny inbound network traffic to or outbound network traffic from various types of Azure resources. A network security group can be used to protect multiple types of Azure resources. You can specify the source and destination, as well as the port and protocol, for each rule.
This article describes the properties of a network security group rule, the default security rules that are applied, and the rule properties that can be modified to create an augmented security rule. It also describes the default security rules that are applied.
Security rules A network security group can contain zero or as many rules as desired, as long as they do not exceed the limits of the Azure subscription. Each rule specifies one or more of the following characteristics:
RULES FOR SECURITY
Property Explanation \sName
A name that is distinct within the network security group.
Priority
There are 4096 digits in a number between 100 and 4096. Rules are processed in priority order, with lower numbers being processed before higher numbers because lower numbers have a higher priority than higher numbers, and vice versa. Once a piece of the traffic matches a rule, processing comes to a halt. Therefore, any rules with lower priorities (higher numbers) that have the same attributes as rules with higher priorities (or vice versa) will be skipped over.
Whether the source or the destination
It can be any, or a single IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group, or it can be a single IP address or an individual IP address. The private IP address assigned to the resource should be specified if an address for an Azure resource is specified. The processing of network security groups occurs after Azure converts a public IP address to a private IP address for inbound traffic and before Azure converts a private IP address to a public IP address for outbound traffic By specifying a range, a service tag, or an application security group, you can reduce the number of security rules you need to create. It is referred to as augmented security rules when you can specify multiple individual IP addresses and ranges in a rule (you cannot specify multiple service tags or application groups). The creation of enhanced security rules is restricted to network security groups that have been created using the Resource Manager deployment model. In network security groups created using the classic deployment model, you are unable to specify multiple IP addresses or IP address ranges at the same time.
You have the option of specifying a single port or a range of ports. If you want to specify 80, you could specify 10000-10005. By specifying ranges, you can reduce the number of security rules you need to create. The creation of enhanced security rules is restricted to network security groups that have been created using the Resource Manager deployment model. In network security groups created using the classic deployment model, you are unable to specify multiple ports or port ranges in a single security rule because of this limitation.
When traffic is allowed or denied by a network security group, the security rules are evaluated according to their priority using the 5-tuple information (source, source port, destination, destination port, and protocol). It is not permitted to create two security rules that have the same priority and direction as one another. In the case of existing connections, a flow record is created. Based on the connection state of the flow record, communication is either permitted or prohibited. The flow record enables a network security group to function in a stateful manner. In the case of an outbound security rule directed at any address over port 80, for example, it is not necessary to specify an inbound security rule for the response to the outbound traffic as a result of this. An inbound security rule is only required if the communication is initiated from outside the organization. It is also true in the other direction. Unless inbound traffic over a port is prohibited, it is not necessary to specify an outbound security rule for the port to respond to traffic over the port.
Existing connections may not be disrupted if a security rule that enabled the flow is removed from the configuration. When connections are terminated and no traffic is flowing in either direction for at least a few minutes, traffic flows are disrupted and traffic flows are terminated.
When you create a network security group, there are restrictions on the number of security rules that can be created. For more information, see Azure limits.
