CloudNetworking.io
Home / Azure / Azure Network Security Groups
Azure Networking Resource

Azure Network Security Groups (NSG)

Azure Network Security Groups, usually called NSGs, are one of the most important traffic control tools in Azure networking. They let you allow or deny inbound and outbound traffic using rule-based filtering.

If Azure VNet gives you the private network and subnets give you structure, then NSGs give you traffic control. They help decide what should be allowed, what should be blocked, and where those rules should apply.

This page explains Azure NSGs in practical terms, with rule priority examples, port and IP matching logic, subnet and NIC association guidance, real-world use cases, common mistakes, troubleshooting tips, and official Azure documentation links.

Start Learning Build NSGs with Terraform Azure Official Docs

What is Azure Network Security Group?

An Azure Network Security Group is a rule-based security control used to filter network traffic in Azure. It allows you to define inbound and outbound rules based on source, destination, protocol, and port.

In simple terms, an NSG is like a traffic checkpoint. It checks packets against a list of rules and decides whether to allow or deny them.

NSGs are commonly associated with Azure subnets or with individual network interfaces attached to virtual machines and other workloads.

Main purpose Filter inbound and outbound traffic with rule-based controls.
Why it matters It helps enforce security boundaries inside Azure networking.
Typical use Allow app traffic, restrict database access, and block unwanted network paths.
Quick understanding: If a subnet groups resources together, an NSG decides what traffic those resources should be allowed to send or receive.

Why Azure NSG matters

Azure networking without traffic filtering quickly becomes messy or unsafe. NSGs matter because they bring structure to security decisions and help reduce unnecessary exposure between workloads.

Traffic control

NSGs help define which traffic should be allowed and which should be denied.

Security boundaries

They help create clear lines between web, app, database, management, and other workload zones.

Operational clarity

Well-structured NSG rules make it easier for teams to understand intended connectivity.

Safer defaults

Instead of broad access everywhere, NSGs support more intentional and limited traffic paths.

Reusable patterns

NSG designs can often be repeated across environments like dev, test, and production.

Troubleshooting value

Because NSGs are rule-based, they provide a clear place to inspect traffic permission logic.

Important idea: NSGs do not replace overall architecture design, but they are one of the most practical controls for shaping safe traffic flow inside Azure.

Azure NSG in the 5 Ws

What is Azure NSG?

It is a rule-based traffic filter in Azure used to allow or deny inbound and outbound network traffic.

Why do teams use it?

Teams use NSGs to reduce exposure, control connectivity, and apply security intent to subnets or individual workloads.

When should you use it?

Almost any non-trivial Azure environment should use NSGs somewhere, especially when different workload types need different access patterns.

Where does it fit?

It fits at subnet level, NIC level, or both, depending on how granular you need the traffic control to be.

Who works with it?

Cloud engineers, DevOps teams, Azure administrators, network engineers, platform teams, and security teams all work with NSGs.

How does it work?

Azure evaluates NSG rules in priority order and checks whether a packet matches the rule conditions. The first matching rule determines whether that traffic is allowed or denied.

How Azure NSGs work

Azure NSGs contain inbound and outbound security rules. Each rule usually evaluates:

  • source IP address or source range
  • source port
  • destination IP address or destination range
  • destination port
  • protocol such as TCP, UDP, or Any
  • priority number
  • action, such as Allow or Deny

When traffic tries to enter or leave a resource, Azure compares the packet against NSG rules in priority order. The first rule that matches is applied. 

Traffic flow idea

Incoming packet
   ↓
Check NSG rules by priority
   ↓
Match source, destination, protocol, and ports
   ↓
First matching rule wins
   ↓
Allow or Deny
Simple idea: Azure does not evaluate every rule and then decide. It stops at the first matching rule based on priority order.

Rule components: IPs, ports, and protocol explained

Many NSG problems happen because people remember “allow or deny” but forget that Azure matches traffic using several fields together. A rule is not only about opening a port. It is about which source can use which protocol and port to reach which destination.

Rule field What it means Example
Source The IP, subnet, service tag, or address range where the traffic starts 10.10.2.0/24, Internet, VirtualNetwork
Source port The port used on the sender side. Often left as Any in many application rules Any, 44321
Destination The IP, subnet, NIC, or range where the traffic is going 10.10.3.4, 10.10.3.0/24
Destination port The service port being accessed on the target 443, 80, 22, 3389, 1433
Protocol The transport protocol the rule applies to TCP, UDP, Any
Priority The order in which Azure evaluates the rule 100, 200, 300
Action Whether the traffic is allowed or denied if the rule matches Allow, Deny

Why source and destination IPs matter

A rule that allows port 443 is not enough if the source is wrong. For example, you may want to allow HTTPS only from the internet to a web subnet, but not from every internal subnet to every internal resource. The source field decides who is allowed to initiate that traffic.

Why destination port matters more than people think

In many app designs, the important port is the destination port. For example:

  • HTTPS traffic usually targets destination port 443
  • HTTP traffic usually targets destination port 80
  • SSH traffic usually targets destination port 22
  • RDP traffic usually targets destination port 3389
  • SQL Server traffic often targets destination port 1433

Why source port is often set to Any

In many common NSG rules, the source port is left as Any because client systems typically use temporary ephemeral source ports. What usually matters most is the destination service port.

Practical reminder: When traffic fails, do not ask only “is port 443 open?” Ask “from which source, to which destination, on which protocol and port, and which rule matches first?”

Common ports you will see in NSG rules

NSGs are often used to control access to common application, management, and database ports. This table helps make the rule logic more practical.

Port Common use Typical NSG meaning
80 HTTP Allow web traffic if the application serves plain HTTP
443 HTTPS Allow secure web traffic to web or application endpoints
22 SSH Allow Linux admin access only from approved management sources
3389 RDP Allow Windows admin access only from approved management sources
1433 SQL Server Allow app tier to reach SQL workloads, not broad public access
3306 MySQL Allow specific application paths to MySQL-based systems
5432 PostgreSQL Allow approved app traffic to PostgreSQL workloads
8080 Alternate web/app port Often used internally by app services or proxies
Best practice: Avoid allowing admin or database ports from broad source ranges unless there is a very strong, temporary, and documented reason.

NSG rules and priority

Rule priority is one of the most important parts of NSG behavior. Lower numbers are evaluated first, so a rule with priority 100 is checked before a rule with priority 200.

Rule name Priority Source Destination port Meaning
Allow-HTTPS 100 Internet 443 Allow inbound HTTPS traffic first
Allow-App-To-DB 150 10.10.2.0/24 1433 Allow app subnet to reach database port before broader deny rules
Deny-Internet 200 Internet Any Deny broader internet traffic after specific allows
Very common mistake: Teams create a rule they think is correct, but it never takes effect because another higher-priority rule matches first.

Why priority matters so much

Rule order controls behavior. Even a very specific allow rule is useless if a broader deny rule with higher priority is matched first.

Subnet-level NSG vs NIC-level NSG

Azure NSGs can be attached to a subnet or to a network interface. Understanding the difference is important for clean design and troubleshooting.

Association type Main purpose Typical use
Subnet-level NSG Applies rules to all resources inside the subnet Common for broad workload-zone policy
NIC-level NSG Applies rules to one specific network interface Useful for resource-specific exceptions or tighter controls

Subnet-level advantage

Cleaner for environment-wide policy and easier to understand at scale.

NIC-level advantage

More granular when one workload needs different treatment from the rest of the subnet.

Important reminder: When both subnet-level and NIC-level NSGs exist, traffic may be affected by both. This is a common source of confusion during troubleshooting.

Common Azure NSG use cases

Allow web traffic only to front-end tier

Permit HTTP or HTTPS from the internet to the web subnet while blocking direct internet access to internal tiers.

Restrict database access

Allow only app-tier source ranges to database destination ports such as 1433 or 5432.

Limit management access

Allow RDP or SSH only from approved administrative source IP ranges or jump hosts.

Environment isolation

Use NSGs to reduce accidental cross-environment traffic where dev, test, and prod must stay separate.

Private application enforcement

Keep internal workloads reachable only from approved sources and not from public traffic paths.

Granular exceptions

Apply NIC-level NSGs to individual workloads that need tighter or slightly different access than the rest of the subnet.

Real-world Azure NSG examples

Example 1: Public web, private app, private database

A company allows internet source traffic to destination port 443 on the web subnet, allows the web subnet to reach the app subnet on destination port 8080, and allows only the app subnet to reach the database subnet on destination port 1433.

Example 2: Restricted admin access

An infrastructure team allows SSH on destination port 22 or RDP on destination port 3389 only from a jump host subnet or approved corporate source range.

Example 3: Shared services environment

A central platform team uses subnet-level NSGs for common rules and applies NIC-level NSGs only for special-case workloads.

Example 4: Internal API platform

APIs in one subnet are exposed only to internal application sources on specific destination ports, not directly to the internet.

Example 5: Enterprise migration workload

During cloud migration, NSGs are used to mimic on-premises segmentation so teams can move applications in phases without exposing all traffic paths by default.

Azure NSG best practices

  • Keep rules as simple and readable as possible.
  • Use clear naming that reflects rule purpose.
  • Document why a rule exists, not just what it does.
  • Be deliberate with priority numbers.
  • Prefer subnet-level consistency unless there is a real need for NIC-level exceptions.
  • Review broad allow rules carefully.
  • Keep production rules tighter than non-production where appropriate.
  • Align NSGs with subnet purpose and architecture intent.
  • Match source IPs, destination IPs, and ports carefully instead of assuming “open port = correct rule.”
  • Regularly review old rules to remove unnecessary exceptions.
Most important best practice: Good NSG design is not about creating many rules. It is about creating clear rules that match the intended traffic model.
Good next step: Once you understand Azure NSGs conceptually, the best way to reinforce learning is to build them with Terraform.

Common Azure NSG mistakes

Wrong rule priority

A correct-looking rule may never work if a higher-priority rule matches first.

Too many broad allow rules

Overly wide rules reduce the value of segmentation and can hide security problems.

Confusing subnet and NIC scope

Teams often forget that traffic may be affected by both levels of NSG association.

Wrong source or destination matching

The correct port alone is not enough if the source IP or destination range does not match the real traffic path.

Poor rule naming

Unclear rule names make future troubleshooting slower and more error-prone.

No architecture alignment

NSGs should support workload design, not become random collections of exceptions.

Troubleshooting Azure NSG issues

When traffic fails in Azure, NSGs are often one of the first places to inspect. But the goal is not only to ask “is the port open?” You also need to check which rule matches first, where the NSG is attached, and whether the source and destination fields are correct.

Basic troubleshooting sequence

  1. Check whether the NSG is attached to the subnet, NIC, or both.
  2. Review inbound and outbound rules separately.
  3. Check rule priorities carefully.
  4. Confirm source and destination addresses match the intended rule.
  5. Confirm the destination port is the actual service port being used.
  6. Review whether route tables or firewalls are also affecting the path.
  7. Check whether the workload is in the subnet you expect.

Useful troubleshooting questions

  • Which rule is matching first?
  • Is the traffic inbound or outbound?
  • Is the NSG applied at subnet level, NIC level, or both?
  • Is the source IP or source subnet actually what you think it is?
  • Is the destination IP, subnet, or destination port actually correct?
  • Could another control like routing or firewall be the real issue?
Troubleshooting mindset

Traffic blocked?
 ├─ Check NSG association
 ├─ Check inbound/outbound direction
 ├─ Check rule priority
 ├─ Check source and destination match
 ├─ Check destination port
 └─ Check route/firewall dependencies
Common trap: Teams often add more allow rules before confirming which existing rule is already matching first.

Frequently asked questions

What is Azure NSG in simple words?

It is a rule-based network traffic filter that decides what traffic should be allowed or denied.

Does Azure NSG work on subnets or NICs?

It can work on either, and in some environments both may affect the same workload.

Why is NSG rule priority important?

Because Azure evaluates rules in priority order, and the first matching rule wins.

Why are ports important in NSG rules?

Because a rule often exists to control access to a specific service, and services usually listen on destination ports such as 443, 22, 3389, or 1433.

Why do source and destination IPs matter?

Because the correct port alone is not enough. Azure must also match the expected source and destination fields for the rule to apply.

Should I use subnet-level or NIC-level NSGs?

Subnet-level rules are usually cleaner for broad patterns, while NIC-level rules are better for special cases or workload-specific exceptions.

Official Microsoft Azure documentation

These official Microsoft Azure references are useful if you want deeper platform details, implementation guidance, and service-specific documentation for Network Security Groups and related Azure networking controls.

Helpful next step: Use the official Microsoft Azure documentation above if you want deeper product details, rule behavior guidance, and troubleshooting workflows for NSGs.