Mastering Azure Network Security: Troubleshoot with NSG Diagnostics
Nimesh PanchalAzure Networking offers unique tools and processes tailored to the cloud. One such tool is Azure Network Watcher NSG Diagnostics, which simplifies the troubleshooting process for Network Security Groups (NSGs). This article explores how NSG Diagnostics works and provides practical examples of its use.
What Are Network Security Groups (NSGs)?
NSGs are a critical component in Azure networking. They control inbound and outbound traffic at both the subnet and network interface card (NIC) levels. Each NSG contains a set of rules that define whether traffic is allowed or denied. These rules are evaluated in a specific orders
Inbound Traffic Flow
Inbound traffic from the outside is first evaluated at the Subnet Network Security Group (NSG) level. If allowed, it is then checked against the NSG at the Network Interface Card (NIC) level. If permitted, the traffic proceeds to the resource.
Outbound Traffic Flow
Outbound traffic from the resource is first evaluated at the Network Interface Card (NIC) Network Security Group (NSG) level. If allowed, it is then checked against the NSG at the Subnet level. If permitted, the traffic proceeds to the destination
The first rule that matches the traffic determines the outcome, and no further rules are evaluated and precedence of rules based on priority and lowest priority take preference.
Introducing NSG Diagnostics
Troubleshooting complex NSG configurations can be challenging, especially when multiple layers of rules interact. Azure Network Watcher’s NSG Diagnostics tool provides a streamlined way to identify where traffic is being blocked or allowed. Unlike the IP Flow Verify tool, which only checks if a connection is allowed or denied, NSG Diagnostics offers a more detailed analysis, pinpointing specific rules that impact traffic flow.
Below are Some of Practical Examples of Using NSG Diagnostics
1. Resolving RDP Connection Issues
In this scenario, a virtual machine (VM) was deployed with an NSG applied at both the NIC and subnet levels. The goal was to enable SSH connection access via TCP Port 22.
Initial Problem: Attempting to connect to the VM using its public IP address failed.
Using NSG Diagnostics:
The tool revealed that while the Subnet-level NSG allowed SSH traffic, the NIC-level NSG blocked it.
The issue was resolved by modifying the NIC-level NSG to allow inbound TCP traffic on Port 22.
- Key Insight: Subnet-level rules take precedence over NIC-level rules for Inbound Traffic during evaluation.
2. Restricting Web Access
The objective here was to configure a VM so it could access internal websites but not public websites.
Initial Configuration: Outbound HTTP (Port 80) and HTTPS (Port 443) traffic were allowed from Azure Windows VM by default and Internal website hosted on Azure Linux VM failing connect from Azure Windows VM.
Steps Taken:
Rules were updated in the NIC-level NSG to allow outbound traffic only to internal IP ranges (e.g., 10.0.x.x).
Public internet access should be blocked by specifying "Internet" as the destination in deny rules.
Validation: Using NSG Diagnostics, tests confirmed that:
Internal web traffic was allowed.
After applied Outbound Deny rule on ENI NSG Public web traffic was denied.
Outcome: The VM successfully accessed internal website while remaining isolated from external websites.
Best Practices for Using NSGs
Minimize Exposure: Avoid opening RDP ports (3389) and SSH ports (22) directly to the internet. Instead, use secure alternatives like Azure Bastion or restrict access to specific IP addresses using CIDR notation (e.g.,
/32).Leverage Service Tags: Use Azure service tags (e.g., "Internet") in your rules for better clarity and management.
Test Changes: Always validate rule updates using tools like NSG Diagnostics before deploying them in production environments.
Automate Troubleshooting: Integrate NSG Diagnostics with Azure CLI or PowerShell for automated workflows.
Conclusion
Azure Network Watcher’s NSG Diagnostics tool is an invaluable resource for troubleshooting network connectivity issues in Azure environments. By providing detailed insights into how NSGs process traffic, it enables administrators to quickly identify and resolve misconfigurations. Whether you're managing RDP access or fine-tuning web traffic rules, understanding how to effectively use this tool can significantly enhance your Azure networking capabilities.
Subscribe to my newsletter
Read articles from Nimesh Panchal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Nimesh Panchal
Nimesh Panchal
I am Nimesh Panchal, a highly skilled and experienced professional with expertise in multiple cloud platforms, including AWS, Azure, and GCP. I am also certified in various cloud and virtualisation technologies, such as CKA, AWS, Azure, GPC, VMware, and Nutanix Throughout my career, I have demonstrated a strong passion for cloud computing and have actively contributed to the success of cloud adoption in diverse industries. My hands-on experience in designing, implementing, and managing cloud-based solutions has allowed me to drive operational efficiency, cost optimization, and scalability for businesses. As a cloud enthusiast, I stay updated with the latest advancements and best practices in the cloud domain. My commitment to continuous learning has enabled me to effectively leverage cloud technologies and deliver impactful solutions to complex challenges. Apart from my cloud expertise, I also possess a solid foundation in networking, virtualization, and data center technologies, making me a well-rounded IT professional. I take pride in collaborating with cross-functional teams and providing leadership in cloud migration, infrastructure design, and cloud security initiatives. My problem-solving skills, coupled with my ability to communicate technical concepts to non-technical stakeholders, have been instrumental in fostering seamless collaboration and driving successful cloud projects.