Azure Network Security Groups (NSG)

An Azure Network Security Group (NSG) is a fundamental security resource that acts as a virtual firewall for controlling inbound and outbound network traffic to and from Azure resources. It allows you to define security rules that filter traffic based on factors like source and destination IP addresses, ports, and protocols.

NSGs can be associated with subnets within an Azure Virtual Network or directly with a Network Interface attached to a Virtual Machine. This provides a flexible way to enforce network security policies and restrict traffic flow as needed.

Key Features of NSGs

• Inbound and Outbound Rules: Define allow or deny rules for inbound traffic from the internet or other Azure resources, as well as outbound traffic from your resources.
• Priority Rules: Rules are processed based on their priority number, with lower values taking precedence.
• Default Rules: NSGs have built-in default security rules that allow or deny certain traffic by default.
• Service Tags: Simplify rule management by using service tags like AzureLoadBalancer instead of specific IP prefixes.
• Application Security Groups: Group VMs and apply NSG rules to the group instead of individual resources.

Provisioning NSGs with Terraform

Terraform provides robust support for managing Azure resources, including NSGs, through its Azure Resource Manager (RM) provider. Here's how you can create and provision an NSG using Terraform:

1. Define the NSG Resource

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  security_rule {
    name                       = "AllowSSH"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

In this example, we define an azurerm_network_security_group resource with a name, location, and resource group. We also add a security rule to allow inbound SSH traffic on port 22 from any source.

1. Associate the NSG with a Subnet or Network Interface

To apply the NSG rules, you need to associate it with a subnet or network interface:

resource "azurerm_subnet_network_security_group_association" "example" {
  subnet_id                 = azurerm_subnet.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

This associates the NSG with the specified subnet within an Azure Virtual Network.

Alternatively, you can associate the NSG directly with a Network Interface:

resource "azurerm_network_interface_security_group_association" "example" {
  network_interface_id      = azurerm_network_interface.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

1. Apply the Configuration

After defining the necessary resources, run terraform apply to create the NSG and associate it with the desired resources.

Best Practices

• Start with Deny Rules: It's generally recommended to start with a deny-all rule and then selectively allow necessary traffic.
• Use Service Tags: Leverage service tags like AzureLoadBalancer instead of specific IP prefixes for easier management.
• Prioritize Rules: Assign appropriate priorities to your rules, with lower values taking precedence.
• Separate NSGs: Consider using separate NSGs for different tiers or environments (e.g., web, app, database) for better isolation and management.
• Monitor and Audit: Regularly review and audit your NSG rules to ensure they align with your security requirements.

By following these best practices and leveraging Terraform's declarative approach, you can efficiently provision and manage Azure Network Security Groups, ensuring consistent and secure network traffic control across your Azure resources.

Citations:
[1] https://purple.telstra.com/blog/azure-nsg-security-rule-management-like-a-boss-with-powershell-and-csvs
[2] https://learn.microsoft.com/en-us/answers/questions/1160561/azure-network-security-group-(nsg)-can-be-attached
[3] https://github.com/hashicorp/terraform-provider-azurerm/issues/8261
[4] https://stackoverflow.com/questions/64189108/how-to-create-azure-network-security-group-via-python-sdk