MS Guidance on NSGs on NICs vs on Subnets

%3CLINGO-SUB%20id%3D%22lingo-sub-1501368%22%20slang%3D%22en-US%22%3EMS%20Guidance%20on%20NSGs%20on%20NICs%20vs%20on%20Subnets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1501368%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20any%20MS%20best%20practices%20around%20NSGs%20on%20network%20cards%20and%20I%20can't%20seem%20to%20find%20any.%26nbsp%3B%20I've%20found%20the%20NSG%20best%20practices%20but%20I%20haven't%20found%20any%20on%20if%20it's%20best%20practice%20to%20have%20NSGs%20on%20just%20the%20subnet%20or%20the%20subnet%20and%20the%20NIC.%26nbsp%3B%20I'm%20leaning%20toward%20just%20the%20subnet.%26nbsp%3B%20Thoughts%3F%3CBR%20%2F%3E%3CBR%20%2F%3EHere%20is%20what%20I've%20found%20so%20far%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fnetwork-best-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fnetwork-best-practices%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1501368%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBest%20Practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ensg%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1503741%22%20slang%3D%22en-US%22%3ERe%3A%20MS%20Guidance%20on%20NSGs%20on%20NICs%20vs%20on%20Subnets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1503741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F715552%22%20target%3D%22_blank%22%3E%40kellybush%3C%2FA%3E%26nbsp%3BNormally%20you%20will%20get%20the%20typical%20consultancy%20answer%20which%20is%3A%20It%20depends.%3CBR%20%2F%3EJoke%20aside.%20What%20I%20normally%20try%20to%20find%20is%20common%20rules%20the%20systems%20need.%20If%20several%20systems%20in%20a%20subnet%20need%20the%20same%20ruleset%20I%20would%20put%20the%20NSG%20on%20the%20subnet.%20If%20it%20is%20just%20one%20special%20system%20and%20the%20the%20rules%20should%20not%20apply%20to%20every%20other%20system%20in%20the%20same%20subnet%20the%20NSG%20goes%20to%20the%20NIC.%3CBR%20%2F%3EJust%20be%20careful%20when%20you%20want%20to%20use%20it%20on%20both%20levels%2C%20NIC%20and%20subnet%20(one%20on%20each%20NIC%20and%20a%202nd%20NSG%20on%20the%20subnet).%20The%20rules%20tend%20to%20accumulate%20on%20the%20NSG%20attached%20to%20the%20subnet%20because%20of%20the%20various%20requirements%20of%20the%20systems%20within%20the%20subnet.%20Can%20get%20a%20little%20bit%20messy%20when%20you%20have%20a%20lot%20of%20different%20rules%20for%20many%20different%20systems.%20After%20all%20a%20NSG%20is%20not%20a%20firewall.%3CBR%20%2F%3EI%20hope%20that%20helps%3CBR%20%2F%3ECheers%3C%2FP%3E%3CP%3ERolf%3C%2FP%3E%3CP%3E%23MCT%20%23LearnWithRolf%20%23TheCloud42%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm looking for any MS best practices around NSGs on network cards and I can't seem to find any.  I've found the NSG best practices but I haven't found any on if it's best practice to have NSGs on just the subnet or the subnet and the NIC.  I'm leaning toward just the subnet.  Thoughts?

Here is what I've found so far
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

1 Reply

@kellybush Normally you will get the typical consultancy answer which is: It depends.
Joke aside. What I normally try to find is common rules the systems need. If several systems in a subnet need the same ruleset I would put the NSG on the subnet. If it is just one special system and the the rules should not apply to every other system in the same subnet the NSG goes to the NIC.
Just be careful when you want to use it on both levels, NIC and subnet (one on each NIC and a 2nd NSG on the subnet). The rules tend to accumulate on the NSG attached to the subnet because of the various requirements of the systems within the subnet. Can get a little bit messy when you have a lot of different rules for many different systems. After all a NSG is not a firewall.
I hope that helps
Cheers

Rolf

#MCT #LearnWithRolf #TheCloud42