MS Guidance on NSGs on NICs vs on Subnets

New Contributor

I'm looking for any MS best practices around NSGs on network cards and I can't seem to find any.  I've found the NSG best practices but I haven't found any on if it's best practice to have NSGs on just the subnet or the subnet and the NIC.  I'm leaning toward just the subnet.  Thoughts?

Here is what I've found so far
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

3 Replies

@kellybush Normally you will get the typical consultancy answer which is: It depends.
Joke aside. What I normally try to find is common rules the systems need. If several systems in a subnet need the same ruleset I would put the NSG on the subnet. If it is just one special system and the the rules should not apply to every other system in the same subnet the NSG goes to the NIC.
Just be careful when you want to use it on both levels, NIC and subnet (one on each NIC and a 2nd NSG on the subnet). The rules tend to accumulate on the NSG attached to the subnet because of the various requirements of the systems within the subnet. Can get a little bit messy when you have a lot of different rules for many different systems. After all a NSG is not a firewall.
I hope that helps
Cheers

Rolf

#MCT #LearnWithRolf #TheCloud42

Use NSG per subnet if there is a specific VM that odd man out then only consider using NSG per NIC/VM

@kellybush 

 

Hi i would say always use subnet when possible  because of the recommendation below :  

Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

 

In fact if you decide to associate NSG to NIC you  will need to do it for every NIC in the subnet to have rules applied in the overall subnet  ( Say Hello to Management Overhead)  . Also if subnet is already associated you will have risk of conflicts mentionned above since you will configure both .