AZ-104 Exam EP 16: Network Security Group

A Guide To Cloud

26 Sept 202008:23

Summary

TLDRIn this Azure Administrator Associate Examination Course module, Sushant Sutish guides through the intricacies of virtual networking, focusing on Network Security Groups (NSGs). The lesson delves into NSG fundamentals, explaining how to create rules for inbound and outbound traffic, and the concept of effective rules. It differentiates between NSGs and Application Security Groups (ASGs), emphasizing ASGs' role in simplifying security policies for groups of servers with similar requirements. The session is designed to be practical, with demonstrations accompanying the theoretical discussion, preparing learners for the next topic: Azure Firewall.

Takeaways

🔒 A Network Security Group (NSG) is a fundamental component of Azure's virtual networking, used to control inbound and outbound network traffic to Azure resources.
📝 NSGs contain a list of security rules that can be customized to allow or deny traffic to and from resources within a virtual network.
🚀 NSGs can be associated with either a subnet or a network interface, providing flexibility in how network traffic is managed.
🏗️ Each subnet can have zero or one associated NSG, and network interfaces within a subnet can also have zero or one associated NSG, allowing for granular control over traffic.
🛡️ Default security rules are provided by Azure within each NSG, which can be overridden by creating rules with higher priorities.
🌐 Understanding the difference between inbound and outbound rules is crucial; inbound rules control traffic coming into a resource, while outbound rules control traffic leaving it.
🔍 Effective Security Rules feature allows administrators to view the cumulative set of rules that apply to a particular network interface, helping to troubleshoot and understand traffic flow.
🎯 When creating NSG rules, it's important to consider the source, port ranges, and priority to ensure accurate traffic filtering.
👥 Application Security Groups (ASGs) offer a higher level of abstraction by grouping servers with similar port filtering requirements, simplifying security policy management.
🔄 NSG rules that reference an ASG as the source or destination are applied only to network interfaces that are members of the ASG, enhancing the precision of traffic control.

Q & A

What is a Network Security Group (NSG)?
-A Network Security Group (NSG) is a list of security rules that allow or deny inbound or outbound network traffic to resources in a virtual network.
What is the difference between an inbound and an outbound rule in NSG?
-Inbound rules control the traffic flowing into a virtual network, while outbound rules control the traffic flowing out of it.
How can Network Security Groups be associated with resources?
-NSGs can be associated with either a subnet or a network interface to control the traffic flow to and from those resources.
What is a DMZ subnet and how does NSG relate to it?
-A DMZ (Demilitarized Zone) subnet is a protected screen subnet that can be created by assigning NSGs to subnets to restrict traffic flow to all machines within that subnet.
What are the default security rules created by Azure within each NSG?
-Azure creates several default security rules within each NSG, including three default inbound rules that deny all inbound traffic except from the virtual network and Azure load balancers, and three default outbound rules that allow outbound traffic only to the internet and the virtual network.
Can default rules in NSG be deleted?
-No, default rules in NSG cannot be deleted, but they can be overridden by creating rules with higher priorities.
What is the purpose of effective security rules in NSG?
-Effective security rules help to determine which security rules are applied when there are multiple NSGs. They are evaluated independently, and an allow rule must exist at both levels for traffic to be admitted.
How does the priority of NSG rules work?
-Rules in NSG are processed in priority order, with the lower the number indicating the higher the priority. It is recommended to leave gaps between rules for easier management, such as using 100, 200, and 300 etc.
What is an Application Security Group (ASG) and how is it different from an NSG?
-An Application Security Group (ASG) is used for grouping servers with similar port filtering requirements, allowing the reuse of security policies at scale without the need for explicit IP addresses. It simplifies the management of complex IP address and multiple rule sets. ASGs are different from NSGs in that they focus on server grouping based on function rather than network traffic filtering.
How are rules applied when using ASGs?
-Rules specifying an ASG as the source or destination are only applied to the network interfaces that are members of the ASG. If a network interface is not a member of an ASG, the rule is not applied to that interface, even if the network security group is associated with the subnet.