Share via

Network Security group : Best Practice apply roles

Martin Skorvald 26 Reputation points
2021-05-16T11:35:35.38+00:00

Hi
I’m looking for the Best Practice to organize Network Security Groups. What I can see there is two ways to apply NSG roles to a single NIC or Subnet.

1, You can create one NSG per subnet or single NIC and add multiple Security Rules to this NSG.

2, You can create one NSG with only one Security Rule (e.g. Inbound port 80) and then assigned multiple NSG to a Subnet or single Nic.

Wot is Best Practice for NSG rules 1 or 2?

Tanks
//marsk
(If possible do you have a link to a document that describes this?)

Tags: Subnet, vNET, Network Security Group, NSG, Network Security Group rules, Best Practice.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,911 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,457 questions
0 comments
Accepted answer
  1. Andreas Baumgarten 109.9K Reputation points MVP
    2021-05-16T12:41:53.323+00:00

    Hi @Martin Skorvald ,

    as far as I know you can only associate one NSG to a single NIC. It's not possible to associate more than one NSG to the same NIC.
    You can verify this in Azure Portal.
    Same counts for association of a NSG to a subnet. You can only associate on NSG per subnet. If you try to associate a second NSG with a subnet the first NSG will be disassociated.

    96951-image.png

    The 2. option you described in your question doesn't work.

    So the option 1 (create one NSG with multiple Security Rules) works and is best practice.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Martin Skorvald 26 Reputation points
    2021-05-16T12:59:50.8+00:00

    But you can create one NSG with one Security Rule (e.g. Inbound port 80) to multiple NICs and subnets.

    //marsk

    96880-sub.jpg

    96952-nice.jpg

    0 comments
  2. Andreas Baumgarten 109.9K Reputation points MVP
    2021-05-16T13:12:19.11+00:00

    Hi @Martin Skorvald ,

    you wrote in your question:

    and then assigned multiple NSG to a Subnet or single Nic.

    I answered this is not working.

    You can associate one NSG to multiple subnets or NICs. That's right. But you didn't asked for it ;-)

    Anyway:
    I wouldn't recommend to associate one NSG to multiple subnets or NICs.
    The reason for this statement is:

    If you need the same NSG Security Rules for all subnets it might be an easy approach. But if you need different Security Rules in some subnets/on some VMs it's getting complicated.
    I am trying to follow the "keep it simple approach": One NSG per subnet / one NSG per NIC (I am trying to avoid NSG on NICs). This is easy to maintain and easy to troubleshoot if there is a clear naming convention for subnets/NICs and NSGs. Also this approach offers the best flexibility to create individual Security Rules.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.