I'm working with several virtual machines in Azure that are all within the same subnet, and I want them to communicate directly. However, I also need to control the traffic between these machines based on specific ports and protocols. Some of these VMs will connect to external services as well. What's the easiest approach to achieve this? Should I be using inbound and outbound rules, application security groups (ASGs), or network security groups (NSGs)? Any help would be greatly appreciated!
3 Answers
To manage traffic within the same subnet, it's best to use Network Security Groups (NSGs). By default, traffic between VMs in the same virtual network is allowed, so you'll want to create explicit allow rules for the specific ports and protocols you need, and then deny all other traffic. If you want to simplify rule management, consider using ASGs to group your VMs by role, which you can reference instead of individual IPs. For filtering beyond Layer 3/Layer 4, you can use Azure Firewall or a Network Virtual Appliance (NVA), but for most scenarios, NSGs combined with ASGs should suffice!
You can set up an NSG linked to your subnet and create an inbound deny rule that covers the entire IP range of that subnet—give it a high priority like 4096. This way, all traffic between the VMs will be denied by default, and you can then add specific allow rules with a lower priority to permit the traffic you want. If you prefer, you can make use of ASGs linked to the VM NICs for both the source and destination of these rules.
Nice, thanks!
You can also use NSGs at the NIC level, but that's less common. Most of the time, you're going to want to apply the NSGs at the subnet level instead to keep things simpler.
Thanks!
Thanks a lot!