Use NSGs on subnets#
Security · Virtual Network · Rule · 2020_06 · Critical
Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.
Description#
Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.
NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.
There is a small subset of special purpose subnets that do not support NSGs. These subnets are:
GatewaySubnet- used for hybrid connectivity with VPN and ExpressRoute gateways.AzureFirewallSubnetandAzureFirewallManagementSubnet- are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.RouteServerSubnet- used by managed routing provided by Azure Route Server.- Any subnet delegated to a dedicated HSM with
Microsoft.HardwareSecurityModules/dedicatedHSMs.
Recommendation#
Consider assigning a network security group (NSG) to each virtual network subnet.
Examples#
Configure with Azure template#
To deploy virtual networks subnets that pass this rule:
- Set the
properties.networkSecurityGroup.idproperty for each supported subnet to a NSG resource id.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
},
"subnets": [
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "snet-001",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
]
}
Configure with Bicep#
To deploy virtual network subnets that pass this rule:
- Set the
properties.networkSecurityGroup.idproperty for each supported subnet to a NSG resource id.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'snet-001'
properties: {
addressPrefix: '10.0.1.0/24'
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
Configure with Azure CLI#
az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`
Configure with Azure PowerShell#
$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg
Notes#
If you identify a false positive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.
To exclude subnets that are specific to your environment, use the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG configuration option.
Any subnet names specified by this option will be ignored by this rule.
For example:
Links#
- SE:06 Network controls
- Network Security Best Practices
- Azure Firewall FAQ
- Forced tunneling configuration
- Azure Route Server FAQ
- Azure Dedicated HSM networking
- NS-1: Establish network segmentation boundaries
- Azure VNET deployment reference
- Azure NSG deployment reference