Access to and from a VNet is controlled via Network Security Groups (NSGs), which act similar to a firewall, permitting or denying traffic based on rules which use the standard five tuples approach.
The five tuples are:
- Source IP address
- Source port
- Destination IP address
- Destination port
- Protocol
NSG rules can be applied to inbound or outbound traffic on the VNet and are processed according to their priority number, the lower the number, the more important the rule is in terms of order of processing. They work on a ‘first match’ basis, with very specific rules typically at the top of the list, with more relaxed rules as you go down the priority list. Typically, like with firewalls, the least priority rule is a deny all type rule, which basically drops network traffic that is not explicitly allowed.
⚠️ When creating NSG rules, it may be useful to use spaced out priorities to ensure that future rules can be slotted into the correct priority ordering. For example, rule 1 = 100, rule 2 = 200, rule 3 = 300. That way, if in the future a very important rule 4 is needed, it can be positioned in as priority = 50.