NSG design

The first step in designing is to ascertain the security requirements of the resource. The following questions should be answered:

• Is the resource accessible from the internet only?
• Is the resource accessible from both the internal resources and the internet?

• Is the resource accessible from the internal resource only?
• Determine the resources, load balancer, gateways, and virtual machines used.
• Configure a virtual network and its subnet.

Using the answers to these questions, an adequate NSG design should be created. Ideally, there should be multiple network subnets for each workload and type of resource. It is not recommended to deploy both load balancers and virtual machines on the same subnet.

Taking your requirements into account, rules should be determined that are common for different virtual machine workloads and subnets. For example, for a SharePoint deployment, the frontend application and SQL servers are deployed on separate subnets. Rules for each subnet should be determined.

After common subnet level rules are identified, rules for individual resources should be identified, and these should be applied to the network interface level. It is important to understand that if a rule allows an incoming request on a port, that port can also be used for outgoing requests without any configuration.

If resources are accessible from the internet, rules should be created with specific IP ranges and ports where possible. Careful functional and security testing should be executed to ensure that adequate and optimal NSG rules are opened and closed.