NSG rules (inbound, outbound) in Azure - Time & Space Complexity

We want to understand how the time to process network security rules changes as we add more rules.

How does the system handle more inbound and outbound rules as their number grows?

Analyze the time complexity of checking NSG rules for network traffic.

// Pseudocode for NSG rule evaluation
foreach (rule in inboundRules) {
  if (rule matches incoming traffic) {
    allow or deny;
    break;
  }
}
foreach (rule in outboundRules) {
  if (rule matches outgoing traffic) {
    allow or deny;
    break;
  }
}

This sequence checks inbound and outbound rules one by one until a match is found.

We look at how many times the system checks each rule against the traffic.

• Primary operation: Matching a network packet against a single NSG rule.
• How many times: Up to all inbound rules for incoming traffic, and all outbound rules for outgoing traffic.

As the number of rules increases, the system may check more rules before finding a match.

Input Size (n rules)	Approx. Rule Checks
10	Up to 10 checks per direction
100	Up to 100 checks per direction
1000	Up to 1000 checks per direction

Pattern observation: The number of checks grows linearly with the number of rules.

Time Complexity: O(n)

This means the time to evaluate rules grows directly in proportion to the number of rules.

[X] Wrong: "Adding more rules won't affect evaluation time because the system checks all rules at once."

[OK] Correct: The system checks rules one by one until it finds a match, so more rules mean more checks in the worst case.

Understanding how rule evaluation scales helps you design efficient network security setups and shows you can think about system behavior as it grows.

What if the rules were organized in a way that the system could jump directly to the matching rule? How would the time complexity change?