Azure Network Security Groups (NSGs) comprise an integral part of Microsoft’s cloud-based security solutions, intended to protect resources within a virtual network. When studying for the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam, you may face several questions regarding this tool. So, let’s delve deeper to understand how NSGs play their role in Azure’s robust security mechanism.

Table of Contents

What Are Azure Network Security Groups?

Azure Network Security Groups are used to filter network traffic to and from resources within Azure Virtual Networks (VNet). They allow us to define security rules, which grant or deny network traffic for both inbound and outbound directions. Essentially, they act as a traditional firewall.

NSGs contain security rules that are executed in priority order, with the lower priority number rules being executed first. Each NSG can have as many as 1000 security rules.

Types of Security Rules

Each NSG contains two types of security rules – Inbound and Outbound:

  • Inbound rules: These determine the traffic that’s allowed to go into a resource.
  • Outbound rules: These determine the allowed traffic to flow out of a resource.

For both types of rules, we define:

  • Name: A unique identifier for the rule.
  • Priority: The order of execution (lower number rules take precedence).
  • Source/Destination: Specifies the source/destination address range.
  • Protocol: Determines the network protocol (TCP, UDP, etc.).
  • Direction: Determines whether the rule is for inbound or outbound traffic.

Associating NSGs

A Network Security Group can be associated to:

  • Subnets
  • Individual network interfaces attached to VMs.

The advantage here is control. Attaching NSGs to a subnet makes rules apply to all resources in the subnet, while attaching to individual network interfaces tailors traffic for the VM attached to that interface.

In case where a NSG is assigned both to a subnet and a network interface, the rules are applied to network interface first and then the subnet.

Security Rule Processing

When network traffic attempts to enter or leave a NIC or subnet with an associated NSG, the following steps happen:

  1. Similar to a firewall, it iterate rules in ascending order of priority.
  2. For each rule, it compares properties of the traffic (source address, port, destination address, and port) with values present in the rule.
  3. If a match occurs, it applies the corresponding action (allow or deny) and stops traversing the rest of the traffic.

This mechanism is how Azure NSGs filter network traffic either entering or leaving a network.

NSG Flow Logs

NSG flow logs are a feature that allows us to capture information related to inbound and outbound traffic of a network interface. It is an excellent method to gain visibility into traffic flow in a network and troubleshoot security and connectivity issues.

The SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam may include questions covering Azure Network Security Groups. Understanding how NSGs operate, how to define security rules, and the manner they can be associated with network resources can significantly boost your chances of excelling in this module of the exam.

Practice Test

True or False: Azure Network Security Groups contain a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).

  • True

Answer: True

Explanation: Azure Network Security Groups contain security rules that state which traffic is allowed or denied into any network interface in a virtual network.

Which of the following is a main function of Azure Network Security Groups?

  • a) To provide network level protection
  • b) To manage user authentication
  • c) To monitor application performance
  • d) To provide data encryption

Answer: a) To provide network level protection

Explanation: Azure Network Security Groups primarily provide network level protection for resources that are running in a Virtual Network.

True or False: Azure Network Security Groups can have multiple inbound and outbound security rules.

  • True

Answer: True

Explanation: Azure Network Security Groups contain a list of Access Control List (ACL) rules that allow or deny network traffic to subnets, network interfaces, or both.

Which among the following can you protect with Azure Network Security Groups?

  • a) Virtual Networks
  • b) Databases
  • c) Subnets
  • d) both a & c

Answer: d) both a & c

Explanation: Azure Network Security Groups can be associated with either virtual networks (VNets) or subnets within the virtual network.

In terms of Azure Network Security Groups, what is the priority range for security rules?

  • a) 100 to 4096
  • b) 1 to 4096
  • c) 4000 to 4500
  • d) 1 to 9000

Answer: b) 1 to 4096

Explanation: The priority range for security rules in Azure Network Security Groups is 1- Lower numbers indicate a higher priority.

True or False: In Azure Network Security Groups, outbound rules enable resources within server to communicate to the Internet by default.

  • True

Answer: True

Explanation: There are default outbound rules in Azure Network Security Groups that allow resources within the server to communicate out to the Internet.

What is the highest priority a user can set for an Azure Network Security Group rule?

  • a) 500
  • b) 100
  • c) 4095
  • d) 1

Answer: d) 1

Explanation: In Azure Network Security Groups, the highest priority a user can set for a rule is

True or False: Default rules in Azure Network Security Groups can be modified.

  • False

Answer: False

Explanation: The default rules in Azure Network Security Groups cannot be modified by the user.

Which among the following is NOT a type of security rule in Azure Network Security Groups?

  • a) Inbound
  • b) Downstream
  • c) Outbound

Answer: b) Downstream

Explanation: Azure Network Security Groups only recognize rules as either inbound (traffic entering) or outbound (traffic exiting). There’s no downstream type.

True or False: Network Security Groups (NSGs) are stateful, meaning that responses to inbound traffic are allowed, regardless of any outbound rules.

  • True

Answer: True.

Explanation: NSGs are stateful. If you create an inbound security rule that allows traffic over a certain port, that port is automatically opened for responses, even if there’s an outbound security rule denying all traffic.

Interview Questions

What is Azure Network Security Group (NSG)?

Azure Network Security Group (NSG) is a feature in Azure that allows you to control the traffic flow in your virtual networks. It acts as a virtual firewall where you can set rules to allow or deny network traffic to resources associated with it.

What types of NSG rules are there in Azure?

There are two types of NSG rules in Azure, inbound and outbound. Inbound rules control the incoming network traffic into your resources whereas outbound rules control the outgoing network traffic.

What elements make up an NSG rule in Azure?

An NSG rule in Azure has several elements including name, priority, source, destination, service, action, and direction.

How does priority in NSG rules work in Azure?

Rules in NSG follow a priority number that ranges from 100 to 4096, with 100 being the highest priority. Azure uses this priority to decide which rule to apply when multiple rules exist that could apply to a network traffic flow.

Can NSGs be associated with both subnets and individual NICs within the same VNet?

Yes, NSGs can be associated with both subnets and individual network interfaces (NICs) attached to the VMs within the same VNet.

How does Azure Network Security Groups help improve security?

Azure Network Security Groups improve security by providing a layer of protection at the subnet level in a virtual network. It enables fine-grained access control on both inbound and outbound network traffic, helping to prevent unwanted accesses or data breaches.

What is the purpose of the default rules in Azure NSG?

Default rules in Azure NSG are system-defined rules that cannot be removed. They ensure that your resources continue to have basic connectivity with each other and also the Azure platform.

How is network traffic managed if it matches multiple rules in an Azure NSG?

If network traffic matches multiple rules in an Azure NSG, the rule with the lowest priority number is applied. Higher priority rules precede those with lower priority.

Can you modify default rules in Azure NSG?

No, you cannot modify default rules in Azure NSG. However, you can override them by creating custom rules with a higher priority.

Why should you use multiple Network Security Groups in Azure?

Multiple Network Security Groups in Azure help better organize and compartmentalize your network traffic rules. For example, you might have one NSG for your front-end subnet (Web Servers) with specific rules and another NSG for your back-end subnet (Database Servers) with a different set of rules.

What is the first step in creating an Azure NSG?

The first step in creating an Azure NSG is to access the Azure portal. Then you need to navigate to the Network Security Groups section, click on Add button and fill out the necessary information on the Create a network security group page to create an NSG.

Is it possible to use Azure NSGs in a hybrid cloud setup?

Yes, Azure NSGs can also be used in a hybrid cloud setup in conjunction with your on-premises network security solutions, providing a higher level of security.

How does Azure NSG handle stateful and stateless network traffic?

Azure NSG can handle both stateful and stateless network traffic. By default it operates in stateful mode, meaning it automatically allows return traffic from connections initiated from inside the network.

Can Azure NSGs be used with service tags?

Yes, Azure NSGs can be used with service tags to group network traffic by specific types of Azure resources or Azure platform services.

What happens when no NSG is associated with a Virtual Network or subnet in Azure?

When no NSG is associated with a Virtual Network or subnet, all inbound and outbound traffic is allowed by default. This is typically not recommended due to security reasons.

Leave a Reply

Your email address will not be published. Required fields are marked *