skip to Main Content

I wish to know how Azure NSGs work when it comes to statefulness and Denys.

For example, let’s compare to AWS security groups.

# Example AWS Security Group inbound/outbound rules
Inbound: Port 80 from the internet
Outbound: Port 443 to the internet

Because of statefulness, even though I only allow 443 outbound implicitly, 80 outbound is allowed due to statefulness.

Do Azure NSGs work the same way? If I have an implicit Deny on all outbound traffic but have an Inbound rule for port 80 from some service, will outbound traffic to that service still be allowed over port 80 even with the implicit outbound deny rule?

Thanks

2

Answers


  1. Yes, Azure NSGs are stateful and work similarly.

    If you specify an outbound security rule to any address over port 80,
    for example, it’s not necessary to specify an inbound security rule
    for the response to the outbound traffic. You only need to specify an
    inbound security rule if communication is initiated externally. The
    opposite is also true. If inbound traffic is allowed over a port, it’s
    not necessary to specify an outbound security rule to respond to
    traffic over the port.
    Network security groups – Security rules

    Login or Signup to reply.
  2. • Kindly do note the below points while creating rules in Network Security Groups.

    a) The NSGs in Azure are Stateful. Meaning that if you open an incoming port, the outgoing port will be open automatically to allow the traffic. Thus, if you create an implicit deny rule for all the outbound traffic, but have an inbound allow rule for port 80 from some service, then this inbound rule will not take effect until it is configured at a priority higher than the ‘Deny’ rule when comparing to the corresponding inbound and outbound rules configured based on priority.

    b) The default rules in a Network Security Group allow for outbound access and inbound access is denied by default. Access within the VNet is allowed by default.

    c) Like normal ACLs, the rules are processed based on a priority.

    d) NSGs can only be used in the Azure region that it was created in.

    e) There is a soft limit of 100 NSGs per subscription and a soft limit of 200 rules per NSG.

    As a result, though the NSGs are stateful, but their effective functionality depends on the priority of the rules set in the Inbound/Outbound rules allow/deny list. The higher priority, the more effective that rule will be, the lesser priority, the lesser probability of it getting effective as it will be overrided by the higher priority rules.

    Kindly refer the below link for more details on the above: –

    https://theithollow.com/2016/08/03/azure-network-security-groups/

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search