The following are some important aspects wherein Azure scores over AWS.
Many of the same principles that apply to AWS can also apply to Azure, but Azure Network Security Groups (NSG) have a few important differences:
- NSGs can be applied to individual VMs, subnets, or both
- NSGs have both ‘Deny’ and ‘Allow’ rules – This means that rule order (or priority) matters!
- Like EC2 Classic Security Groups, Azure NSGs can only be applied to resources in the same region they were created in
- Azure has a security feature called Endpoint ACLs, you can’t have both an NSG and an endpoint ACL applied to the same VM
- All NSGs include a set of default rules that cannot be changed or deleted, but can be overridden
Like AWS Security Groups, Azure NSGs have two sets of rules, inbound and outbound.
Each rule has the following properties:
- Priority – A best practice will be to use large increments (100,200) so you won’t have to edit the priorities of existing rules when adding new ones
- Source – Any/CIDR block/Tag (Tags are explained below)
- Protocol – TCP/UDP/Any
- Source Port – Range/Single Port/Any
- Destination – Any/CIDR block/Tag (Tags are explained below)
- Destination Port – Range/Single Port/Any
- Action – Allow/Deny
Microsoft Azure has two deployment models, Classic and Resource Manager. Simply put, old and new. The two deployment models are different approaches for using the Azure cloud platform, and they handle resource provisioning differently. I highly recommend reading more about the differences between Resource Manager and Classic.
In Classic Deployments – NSGs are applied to VMs. This means that the NSG rules will apply to all traffic coming to and going from the VM.
In Resource Manager Deployments – NSGs are applied to NICs. This means that the NSG rules will only apply to the relevant NIC. In a multi-NIC machine, the NSG will not process traffic from other NICs unless configured on them.
In both deployments – NSGs can be applied to subnets. This means that the NSG rules will be applied to all NICs that belong to that subnet.