question

martinskorvald avatar image
0 Votes"
martinskorvald asked AndreasBaumgarten edited

Network Security group : Best Practice apply roles

Hi
I’m looking for the Best Practice to organize Network Security Groups. What I can see there is two ways to apply NSG roles to a single NIC or Subnet.

1, You can create one NSG per subnet or single NIC and add multiple Security Rules to this NSG.

2, You can create one NSG with only one Security Rule (e.g. Inbound port 80) and then assigned multiple NSG to a Subnet or single Nic.

Wot is Best Practice for NSG rules 1 or 2?

Tanks
//marsk
(If possible do you have a link to a document that describes this?)

Tags: Subnet, vNET, Network Security Group, NSG, Network Security Group rules, Best Practice.

azure-virtual-networkazure-virtual-machines-networking
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @martinskorvald ,

as far as I know you can only associate one NSG to a single NIC. It's not possible to associate more than one NSG to the same NIC.
You can verify this in Azure Portal.
Same counts for association of a NSG to a subnet. You can only associate on NSG per subnet. If you try to associate a second NSG with a subnet the first NSG will be disassociated.

96951-image.png

The 2. option you described in your question doesn't work.

So the option 1 (create one NSG with multiple Security Rules) works and is best practice.



(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten



image.png (43.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

martinskorvald avatar image
0 Votes"
martinskorvald answered

But you can create one NSG with one Security Rule (e.g. Inbound port 80) to multiple NICs and subnets.

//marsk


96880-sub.jpg


96952-nice.jpg



sub.jpg (39.6 KiB)
nice.jpg (49.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten edited

Hi @martinskorvald ,

you wrote in your question:

and then assigned multiple NSG to a Subnet or single Nic.

I answered this is not working.

You can associate one NSG to multiple subnets or NICs. That's right. But you didn't asked for it ;-)

Anyway:
I wouldn't recommend to associate one NSG to multiple subnets or NICs.
The reason for this statement is:

If you need the same NSG Security Rules for all subnets it might be an easy approach. But if you need different Security Rules in some subnets/on some VMs it's getting complicated.
I am trying to follow the "keep it simple approach": One NSG per subnet / one NSG per NIC (I am trying to avoid NSG on NICs). This is easy to maintain and easy to troubleshoot if there is a clear naming convention for subnets/NICs and NSGs. Also this approach offers the best flexibility to create individual Security Rules.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.