CloudWiki
Resource

Network Security Group

Microsoft Azure
Networking
Azure Network Security Group (NSG) is a security feature that enables users to control network traffic to resources in an Azure Virtual Network. NSG acts as a virtual firewall, allowing or denying network traffic based on user-defined rules. Azure NSG provides a way to filter network traffic at the subnet or virtual machine level within a virtual network. It allows users to create inbound and outbound security rules that define the traffic that is allowed or denied based on criteria such as source IP address, destination IP address, protocol, and port number. NSG rules can be applied to a virtual network subnet or a specific virtual machine. Users can create custom rules to allow or deny traffic, and can also use pre-defined rules provided by Azure. NSG also integrates with Azure Application Security Groups, enabling users to create rules based on application and workload-specific requirements. Azure NSG provides an additional layer of security to Azure Virtual Networks, allowing users to implement granular security policies to control inbound and outbound traffic to their resources. It helps protect against network-based attacks and unauthorized access to resources, making it an important component of network security in Azure.‍
Terraform Name
terraform
azurerm_network_security_group
Network Security Group
attributes:

The following arguments are supported:

  • name - (Required) Specifies the name of the network security group. Changing this forces a new resource to be created.
  • resource_group_name - (Required) The name of the resource group in which to create the network security group. Changing this forces a new resource to be created.
  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
  • security_rule - (Optional) List of objects representing security rules, as defined below.

NOTE

Since security_rule can be configured both inline and via the separate azurerm_network_security_rule resource, we have to explicitly set it to empty slice ([]) to remove it.

  • tags - (Optional) A mapping of tags to assign to the resource.

A security_rule block support:

  • name - (Required) The name of the security rule.
  • description - (Optional) A description for this rule. Restricted to 140 characters.
  • protocol - (Required) Network protocol this rule applies to. Possible values include Tcp, Udp, Icmp, Esp, Ah or * (which matches all).
  • source_port_range - (Optional) Source Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if source_port_ranges is not specified.
  • source_port_ranges - (Optional) List of source ports or port ranges. This is required if source_port_range is not specified.
  • destination_port_range - (Optional) Destination Port or Range. Integer or range between 0 and 65535 or * to match any. This is required if destination_port_ranges is not specified.
  • destination_port_ranges - (Optional) List of destination ports or port ranges. This is required if destination_port_range is not specified.
  • source_address_prefix - (Optional) CIDR or source IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. This is required if source_address_prefixes is not specified.
  • source_address_prefixes - (Optional) List of source address prefixes. Tags may not be used. This is required if source_address_prefix is not specified.
  • source_application_security_group_ids - (Optional) A List of source Application Security Group IDs
  • destination_address_prefix - (Optional) CIDR or destination IP range or * to match any IP. Tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. This is required if destination_address_prefixes is not specified.
  • destination_address_prefixes - (Optional) List of destination address prefixes. Tags may not be used. This is required if destination_address_prefix is not specified.
  • destination_application_security_group_ids - (Optional) A List of destination Application Security Group IDs
  • access - (Required) Specifies whether network traffic is allowed or denied. Possible values are Allow and Deny.
  • priority - (Required) Specifies the priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.
  • direction - (Required) The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are Inbound and Outbound.

Associating resources with a
Network Security Group
Resources do not "belong" to a
Network Security Group
Rather, one or more Security Groups are associated to a resource.
Create
Network Security Group
via Terraform:
The following HCL manages a network security group that contains a list of network security rules
Syntax:

resource "azurerm_resource_group" "example" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_network_security_group" "example" {
 name                = "acceptanceTestSecurityGroup1"
 location            = azurerm_resource_group.example.location
 resource_group_name = azurerm_resource_group.example.name

 security_rule {
   name                       = "test123"
   priority                   = 100
   direction                  = "Inbound"
   access                     = "Allow"
   protocol                   = "Tcp"
   source_port_range          = "*"
   destination_port_range     = "*"
   source_address_prefix      = "*"
   destination_address_prefix = "*"
 }

 tags = {
   environment = "Production"
 }
}

Create
Network Security Group
via CLI:
Parametres:

az network nsg create --name
                     --resource-group
                     [--location]
                     [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                     [--tags]

Example:

az network nsg create -g MyResourceGroup -n MyNsg --tags foo=bar

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Network Security Group

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Microsoft Azure