Forum Discussion

kellybush's avatar
kellybush
Copper Contributor
Jul 01, 2020

MS Guidance on NSGs on NICs vs on Subnets

I'm looking for any MS best practices around NSGs on network cards and I can't seem to find any.  I've found the NSG best practices but I haven't found any on if it's best practice to have NSGs on ju...
best practices
nsg
security
ibnmbodji's avatar
ibnmbodji
Iron Contributor
Nov 22, 2021

kellybush 

 

Hi i would say always use subnet when possible  because of the recommendation below :  

Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

 

In fact if you decide to associate NSG to NIC you  will need to do it for every NIC in the subnet to have rules applied in the overall subnet  ( Say Hello to Management Overhead)  . Also if subnet is already associated you will have risk of conflicts mentionned above since you will configure both .  

 

 

 

 

 

 

 

Resources