where is the best place to place an NSG, on a subnet or a vm nic

Question

What is the best practice way to setup an nsg on a vm and database vm? You could place both inside the same subnet, and place an NSG on the nic of the database vm to only allow traffic in from the web frontend.

Or, you could have two subnets, one for web front end, and one for database vm. And place an NSG on the subnets.

Is this a clear answer or depends?

Answer 1

Hi Mathew,

based on the scenerio you provided ill suggest 2 ways

Sol 1:

Single Subnet with NIC Level NSG - Place both the web frontend VM and the database VM within the same subnet. Apply an NSG directly on the NIC of the database VM to restrict traffic only from the web frontend. This provides isolation between the web frontend and the database VM.

Sol 2:

Separate Subnets with Subnet Level NSG - Create two separate subnets, one for the web frontend and one for the database VM. Apply an NSG at the subnet level for each subnet, defining the necessary network security rules. This provides segregation between the web frontend and the database VM at the subnet level.

The solutions are based on various factors like security and architecture select whichever suits your needs.

If you find this answer useful kindly accept answer

Answer 2

Hi Matthew,

In general for the use case you describe I would recommend you place VM(s) for each logically-related purpose into their own subnet with NSG at subnet level and use Application Security Groups (ASGs) and Service Tags in the Inbound/Outbound rules. Following this pattern allows better for future changes/growth.

Please take a look at the article below on ASGs as it is similar to what you are trying to accomplish.

https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

Thanks.

-TP

Answer 3

Hei @Matthew Johnson

Thank you for contacting Microsoft Community. As i gather you have a frontend and a backend server, and are in need to control traffic flow to them via NSG.

• If you want to keep the servers on the same subnet, then you would want to apply the NSG on each server NIC.
• If you want to keep those servers in separate network or subnet, then you would apply NSG on each of those subnets.

The first option is not future friendly or easy to manage because when the number of servers increase this activity will need to be repeated, not thinking about the complexity of load balancing etc.

Since these servers have different purposes, i would recommend the second option for NSG placement. In support for clean architecture, it may be worth while to use tags and (application security groups)[https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups].

Please mark this as "Answer" if it helped

Answer 4

Hi,

Best practice would be to have both. You can have more generic rule on the subnet and then more precise VM specific rules on the NIC of the VM. For example, you can block RDP/SSH to the VM on the subnet which is the recommended and you can use Bastion for SSH/RDP and then allow port 1433 to the NIC of the VM where SQL is running.

You will need to be careful with the priority, when it comes to inbound traffic, you will need to make sure you allow it on the subnet and then have more specific ports allowed on the NIC and outbound perspective, you will need to allow wider in the NIC NSG and restrict to narrow ports/destination in subnet NSG

Regards,

Karthik Srinivas