Share via

How Different is the NSG rule when applied on subnet and on Network interface card

Sushmitha Suresh 20 Reputation points
2023-08-02T11:35:07.44+00:00

I have two VM's web and DB server in a same subnet. I Add NSG rule at subnet level which by default allows alloutboundtraffic to internet. I need to deny the internet to only the DB server. Can I add the rule in same NSG with less priority to deny the traffic to DB server's IP address or do i need to create one more NSG at the NIC level for the DB server.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,509 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,586 Reputation points Microsoft Employee
    2023-08-02T13:41:37.1266667+00:00

    Hello @Sushmitha Suresh ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you've 2 VM's (web and DB server) in a subnet and you added NSG rule at subnet level which by default allows all outbound traffic to Internet, but you want to deny Internet access on the DB server only and would like to know where to add this rule.

    For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there's one, and then the rules in a network security group associated to the network interface, if there's one.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

    If you want to deny the Internet to the DB server only, then you can do one of the following:

    1. Add a Deny rule on the existing subnet-level NSG with the source as Internet and destination as the IP address of the DB server with a lower number priority than the default rule.
    2. Or create a new NSG with deny action, source as Internet and destination "All" and add it to the NIC of the DB server.

    However, Azure recommends the below:

    Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

    So, my advice is to go with the first option and add a Deny outbound rule on the existing subnet-level NSG with the source as Internet and destination as the private IP address of the DB server with a lower number priority than the default rule as below:

    User's image

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Durkan 12,211 Reputation points MVP
    2023-08-02T12:45:21.2533333+00:00

    Hi

    the article here will help with understanding the required setup:

    https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

    In short, if you have an NSG associated with a Subnet and that has rules associated with it, these will be processed. However, you can also have an NSG associated with a NIC that has specific rules for that NIC, and these will be processed for that NIC only.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.