Key concepts (quick summary)
- Azure evaluates subnet-level NSG and NIC-level NSG separately, then intersects their results.
- For traffic to be allowed, at least one rule in each NSG must permit the traffic (this can be a user-defined allow or a system default allow).
- If either NSG explicitly denies or implicitly denies (no allow rule), the traffic is blocked.
Traffic evaluation order
Understanding the order helps reason about how Azure checks packets, though the final result is always the intersection of both NSGs.
Note: The above order affects how you trace which rule matched first in logs or diagnostics, but it does not change the rule intersection logic — both NSGs must allow traffic.
Common scenarios (what the effective decision becomes)
Remember: effective rules reflect the combined outcome of both subnet and NIC NSGs. A single deny in either NSG blocks the traffic even if the other NSG allows it.
Why effective rules matter
- They simplify troubleshooting: instead of manually inspecting priorities and rules across multiple NSGs, you can view the NIC’s effective rules to see the exact rule set that applies.
- They clarify conflicts: effective rules show when an allow in one NSG gets overridden by a deny in the other.
- They help validate security posture: you can confirm which traffic is permitted or blocked at the NIC level before troubleshooting connectivity or implementing new rules.
How to inspect effective rules
You can view effective NSG rules in the Azure Portal or via CLI/PowerShell:- Azure Portal: Navigate to the VM → Networking → click the NIC → “Effective security rules” (or use the “Network Interface” resource and select Effective security rules).
- Azure CLI example:
- Use
az network nic show-effective-nsg --name <nic-name> --resource-group <rg>(refer to Azure CLI docs for exact flags).
- Use
- Azure PowerShell example:
- Use
Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName <nic-name> -ResourceGroupName <rg>(refer to Azure PowerShell docs for exact usage).
- Use
Troubleshooting tips
- Check both NSGs (subnet and NIC) for explicit denies or high-priority rules that might block traffic.
- Confirm the effective rules in the portal to quickly identify which rule(s) matched.
- Remember default NSG rules exist (e.g., Azure platform rules); these can allow or deny traffic if no custom rules match.
- When testing, ensure the rule priorities and source/destination ranges are correct and that you’re inspecting the same direction (inbound vs outbound) as the failing traffic.
Next steps
- Learn how to create and manage NSG rules to control traffic precisely.
- Use effective rules to validate and iterate on security configurations before and after deployment.
Links and references
- Azure NSG overview
- How to view effective network security groups in Azure Portal
- Azure CLI documentation
- Azure PowerShell documentation