Use NSGs on subnets#
Security · Virtual Network · Rule · 2020_06 · Critical
Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.
Description#
Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.
NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.
There is a small subset of special purpose subnets that do not support NSGs. These subnets are:
GatewaySubnet
- used for hybrid connectivity with VPN and ExpressRoute gateways.AzureFirewallSubnet
andAzureFirewallManagementSubnet
- are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.RouteServerSubnet
- used by managed routing provided by Azure Route Server.- Any subnet delegated to a dedicated HSM with
Microsoft.HardwareSecurityModules/dedicatedHSMs
.
Recommendation#
Consider assigning a network security group (NSG) to each virtual network subnet.
Examples#
Configure with Bicep#
To deploy virtual network subnets that pass this rule:
- Set the
properties.networkSecurityGroup.id
property for each supported subnet to a NSG resource id.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'snet-001'
properties: {
addressPrefix: '10.0.1.0/24'
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
Configure with Azure template#
To deploy virtual networks subnets that pass this rule:
- Set the
properties.networkSecurityGroup.id
property for each supported subnet to a NSG resource id.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
},
"subnets": [
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "snet-001",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
]
}
Configure with Azure CLI#
az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`
Configure with Azure PowerShell#
$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg
Notes#
If you identify a false positive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.
Rule configuration#
AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG
To exclude subnets that are specific to your environment, use the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG
configuration option.
Any subnet names specified by this option will be ignored by this rule.
For example:
Links#
- SE:06 Network controls
- Network Security Best Practices
- Azure Firewall FAQ
- Forced tunneling configuration
- Azure Route Server FAQ
- Azure Dedicated HSM networking
- NS-1: Establish network segmentation boundaries
- Azure VNET deployment reference
- Azure NSG deployment reference