Use NSGs on subnets#
Security · Virtual Network · 2020_06
Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.
Description#
Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.
NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.
There is a small subset of special purpose subnets that do not support NSGs. These subnets are:
GatewaySubnet
- used for hybrid connectivity with VPN and ExpressRoute gateways.AzureFirewallSubnet
andAzureFirewallManagementSubnet
- are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.RouteServerSubnet
- used by managed routing provided by Azure Route Server.- Any subnet delegated to a dedicated HSM with
Microsoft.HardwareSecurityModules/dedicatedHSMs
.
Recommendation#
For virtual network subnets, ensure that a network security groups (NSGs) are assigned.
Examples#
Configure with Azure template#
To deploy virtual networks subnets that pass this rule:
- Set the
properties.networkSecurityGroup.id
property for each supported subnet to a NSG resource id.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-02-01",
"name": "vnet-001",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
},
"subnets": [
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "snet-001",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-001')]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-001')]"
]
}
Configure with Bicep#
To deploy virtual network subnets that pass this rule:
- Set the
properties.networkSecurityGroup.id
property for each supported subnet to a NSG resource id.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
name: 'vnet-001'
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'snet-001'
properties: {
addressPrefix: '10.0.1.0/24'
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
Configure with Azure CLI#
az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`
Configure with Azure PowerShell#
$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg
Links#
- Implement network segmentation patterns on Azure
- Network Security Best Practices
- Azure Firewall FAQ
- Forced tunneling configuration
- Azure Route Server FAQ
- Azure Dedicated HSM networking
- Azure deployment reference