Explains Azure Network Security Groups, their rule properties, associations with subnets and NICs, priority evaluation, default and custom rules, and best practices for securing virtual network traffic.
Network Security Groups (NSGs) control network traffic to and from resources inside an Azure virtual network. An NSG contains an explicit list of security rules that either allow or deny inbound and outbound traffic.It works by listing security rules that explicitly allow or deny inbound and outbound traffic.
You can associate an NSG with a subnet (to control traffic for multiple virtual machines) or with a virtual machine’s network interface (NIC) to control traffic for a single VM. An NSG itself can be associated with multiple subnets and NICs across your subscription. Note that each subnet or NIC can have at most one NSG associated. When both a subnet and a NIC have NSGs, their rules are evaluated together and the rule with the lowest numeric priority that matches the traffic determines the outcome.Security rules in an NSG define exactly which traffic is permitted or blocked. Azure includes several built-in default security rules that establish baseline behavior; these default rules cannot be deleted, but you can override them by adding custom rules with a higher priority (a lower numeric priority value).Each rule is composed of properties such as priority, name, direction, protocol, source, destination, ports, and an action (Allow or Deny). Additional important rule fields include:
Priority — an integer between 100 and 4096; lower numbers are higher priority and are evaluated before higher numbers.
Direction — Inbound or Outbound.
Protocol — TCP, UDP, or Any.
Source / Destination — IP address prefixes, service tags (for Azure ranges like Internet or VirtualNetwork), or Application Security Groups (ASGs).
Source / Destination port ranges.
Access — Allow or Deny.
Description — optional human-readable text.
Priority values range from 100 to 4096; a rule with priority 100 is evaluated before one with priority 200. Because default rules exist with predefined priorities, choose custom priorities carefully so your rule takes effect as intended.
You can create custom rules to match your security requirements — for example, opening RDP on port 3389 but restricting the source to a specific IP range. Below is an example Azure CLI command that creates a rule allowing RDP from a single IP address:
Beyond defaults, use service tags and Application Security Groups to simplify management at scale and to avoid hard-coding many IP addresses. Test your rules carefully, and always follow the principle of least privilege — allow only what’s necessary.Now that you understand how NSG rules work and how they are structured, this article continues with practical configuration examples and best practices for designing NSG rule sets.