Azure – the difference between an Azure network security group and a VNET


I have made some virtual machines in Azure.

I can see that a vnet has been created for my VMs. This is great as they need a network and I would (of course) like them to be able to connect to each other.

I can also see that a network security group has been created, which is great as I can then control firewall rules and external access.

However, I'm not clear on the difference and why they both exist? Why are they separate, as opposed to the network security group being implemented as a firewall tab under the vnet (in the way that SQL database does). I also cannot see how the vnet and network security group are related. They both have the same NICs, but dont appear to have any awareness of each other – does this mean it's possible for the security group to not apply to some NICs on the network? (and vice versa, can a network security group have NICs from different vnets?).

Best Answer

NSG's could, I suppose have been implemented as part of the vNet, but actually the current approach provides more flexibility, especially if you are using templates to deploy.

vNets are your containers that provide communication between between VM's and a boundary between your environment and the outside world. Inside vNets you will create subnets to organise your network as you like and configure routing rule to define how traffic flows (if you don't like the defaults). vNets also provide the functionality to hook into things like VPN's and Express route.

NSG's are your firewalls that determine what traffic is allowed through. The important thing to note is that NSG's can be applied to individual machines, or to subnets. This distinction means you can apply an NSG to subnet and it can control what traffic is allowed in both from teh outside world, but also from other subnets on your network. Alternatively you can define it at the VM/NIC level and lock things down just for that VM.

Related Topic