0
0
Azurecloud~10 mins

NSG rules (inbound, outbound) in Azure - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - NSG rules (inbound, outbound)
Start: Packet arrives
Check Inbound NSG Rules
Match Rule?
NoDrop Packet
Yes
Allow or Deny?
If Allow -> Packet forwarded to VM
Packet leaves VM
Check Outbound NSG Rules
Match Rule?
NoDrop Packet
Yes
Allow or Deny?
If Allow -> Packet sent out
When a network packet arrives, inbound NSG rules are checked first to allow or deny it. If allowed, the packet reaches the VM. When leaving, outbound NSG rules are checked similarly.
Execution Sample
Azure
inbound_rule = {"priority": 100, "direction": "Inbound", "access": "Allow", "protocol": "TCP", "port": 80}
outbound_rule = {"priority": 100, "direction": "Outbound", "access": "Deny", "protocol": "TCP", "port": 22}
packet = {"direction": "Inbound", "protocol": "TCP", "port": 80}
result = check_nsg_rules(packet, [inbound_rule], [outbound_rule])
This code checks if an inbound TCP packet on port 80 is allowed by NSG rules.
Process Table
StepPacket DirectionRule Direction CheckedRule MatchedAccess ActionPacket Status
1InboundInboundYes (priority 100, TCP port 80)AllowPacket allowed to VM
2OutboundOutboundNo (no matching rule for outbound TCP port 80)Default DenyPacket dropped
3End---Packet blocked outbound due to no allow rule
💡 Outbound packet dropped because no outbound rule allowed TCP port 80; default deny applies.
Status Tracker
VariableStartAfter Step 1After Step 2Final
packet_statusPendingAllowed inboundDropped outboundDropped outbound
rule_checkedNoneInbound rule matchedNo outbound rule matchedNo outbound rule matched
Key Moments - 2 Insights
Why does the packet get dropped on outbound even though inbound was allowed?
Because NSG rules are checked separately for inbound and outbound directions. The inbound rule allowed the packet in, but no outbound rule allowed it out, so the default deny applies as shown in execution_table row 2.
What happens if no NSG rule matches the packet direction and port?
The packet is denied by default. This is shown in execution_table row 2 where no outbound rule matched, so the packet was dropped.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the packet status after step 1?
APacket allowed to VM
BPacket dropped
CPacket forwarded outbound
DPacket ignored
💡 Hint
Check the 'Packet Status' column in execution_table row 1.
At which step does the packet get dropped due to no matching outbound rule?
AStep 1
BStep 2
CStep 3
DNo drop occurs
💡 Hint
Look at execution_table row 2 where outbound check fails.
If the outbound rule allowed TCP port 80, how would the packet status change after step 2?
APacket would still be dropped
BPacket would be allowed outbound
CPacket would be dropped inbound
DPacket status would be unknown
💡 Hint
Refer to variable_tracker and execution_table showing how access action affects packet status.
Concept Snapshot
NSG rules control network traffic by direction: inbound rules check packets entering a VM, outbound rules check packets leaving.
Each rule has priority, direction, protocol, port, and access (Allow or Deny).
Packets are checked against rules in priority order; first match decides allow or deny.
If no rule matches, default deny applies.
Inbound and outbound checks are separate steps.
This protects VMs by filtering traffic both ways.
Full Transcript
Network Security Group (NSG) rules in Azure control traffic flow to and from virtual machines. When a packet arrives, inbound NSG rules are checked first. If a rule matches the packet's direction, protocol, and port, its access setting (Allow or Deny) determines if the packet proceeds. If allowed, the packet reaches the VM. When the VM sends a packet out, outbound NSG rules are checked similarly. If no rule matches, the packet is denied by default. This two-step check ensures security both entering and leaving the VM. The example shows an inbound TCP port 80 packet allowed in, but the outbound check fails due to no matching allow rule, so the packet is dropped when leaving. Understanding this flow helps secure Azure resources effectively.