Hey everyone! I have a quick question regarding network security groups (NSGs) in a hub and spoke virtual network setup. If I've got a firewall in the hub, do I really need to set up NSGs on the spoke subnets? It seems a bit redundant since the firewall should be filtering all incoming traffic, right? Also, I believe the default NSGs won't affect internal traffic. I'm under the impression that all subnets should have NSGs, but I'm not sure why. Can anyone clarify this for me? Thanks!
5 Answers
We apply NSGs to all subnets to block unnecessary traffic between VMs. For example, we keep SSH and RDP disabled by default within the same VNET, only allowing access through a bastion host.
If you're leaning towards a Zero Trust approach, then yes, you should use NSGs. It's about reducing vulnerabilities, and having those controls in place allows only necessary traffic while blocking the rest.
Microsoft advises adopting least privilege security, which means using NSGs on subnets is a good practice. The firewall protects the hub, but having NSGs ensures that only required traffic is allowed. It's great for visibility and getting good security scores from various tools.
In our setup, we definitely use inbound NSGs with a global deny rule for added security. We skip outbound NSGs because they just complicate things without much benefit.
While your firewall can manage public traffic, NSGs are useful for logging and controlling traffic within the network. They help ensure you have monitoring in place, even if most traffic is routed through the firewall. You can always allow all traffic for simplicity.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux