Process Flow - Network Security Groups (NSG)

Create NSG

↓

Define Security Rules

↓

Associate NSG to Subnet or NIC

↓

Traffic Arrives

↓

Check Rules in Priority Order

↓

Allow or Deny Traffic

↓

Traffic Allowed or Blocked

This flow shows how an NSG is created, rules are defined, associated to network resources, and how incoming traffic is checked against these rules to allow or block it.

Execution Sample

Azure

Create NSG "web-nsg"
Add rule: Allow TCP 80 inbound priority 100
Add rule: Deny all inbound priority 200
Associate NSG to subnet "web-subnet"

This example creates an NSG with two rules and associates it to a subnet to control inbound traffic.

Process Table

Step	Action	Rule Checked	Traffic Port	Rule Result	Traffic Outcome
1	Create NSG 'web-nsg'	N/A	N/A	N/A	NSG created
2	Add rule: Allow TCP 80 inbound priority 100	Allow TCP 80 inbound	N/A	Rule added	N/A
3	Add rule: Deny all inbound priority 200	Deny all inbound	N/A	Rule added	N/A
4	Associate NSG to subnet 'web-subnet'	N/A	N/A	N/A	NSG associated
5	Inbound traffic arrives on port 80	Allow TCP 80 inbound	80	Match	Allowed
6	Inbound traffic arrives on port 22	Allow TCP 80 inbound	22	No match	Check next rule
7	Inbound traffic arrives on port 22	Deny all inbound	22	Match	Denied
8	Inbound traffic arrives on port 443	Allow TCP 80 inbound	443	No match	Check next rule
9	Inbound traffic arrives on port 443	Deny all inbound	443	Match	Denied
10	Inbound traffic arrives on port 80	Allow TCP 80 inbound	80	Match	Allowed

💡 Traffic is allowed or denied based on the first matching rule in priority order.

Status Tracker

Variable	Start	After Step 2	After Step 3	After Step 4	After Step 5-10
NSG Rules	None	[Allow TCP 80 inbound, priority 100]	[Allow TCP 80 inbound, priority 100; Deny all inbound, priority 200]	[Rules associated to subnet]	[Rules applied to incoming traffic]
Traffic Port	N/A	N/A	N/A	N/A	80, 22, 443, 80 (varies per step)
Traffic Outcome	N/A	N/A	N/A	N/A	Allowed or Denied based on rules

Key Moments - 3 Insights

Why does traffic on port 22 get denied even though there is no explicit deny rule for port 22?

What happens if multiple rules match the same traffic?

Why do we associate the NSG to a subnet or NIC?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution table, what is the traffic outcome for inbound traffic on port 443 at step 9?

AAllowed

BNo decision yet

CDenied

DRule not found

Concept Snapshot

Network Security Groups (NSG) control network traffic by applying rules.
Rules have priorities; lower numbers run first.
Traffic is allowed or denied based on the first matching rule.
NSGs are associated with subnets or network interfaces.
Default deny applies if no rule matches.
Use NSGs to protect Azure resources from unwanted traffic.

Full Transcript

Network Security Groups (NSG) are used in Azure to control network traffic to and from resources. First, you create an NSG and add security rules with priorities. Then, you associate the NSG to a subnet or network interface. When traffic arrives, Azure checks the rules in priority order. The first rule that matches the traffic decides if it is allowed or denied. For example, if there is a rule allowing TCP traffic on port 80 with priority 100, and a deny all inbound rule with priority 200, traffic on port 80 is allowed, but traffic on other ports like 22 or 443 is denied. This process helps secure your network by controlling access. If no rule matches, traffic is denied by default. Associating NSGs to subnets or NICs applies these rules to all traffic entering or leaving those resources.