NSG Rules in Azure Local: Best Practices for Microsegmentation and Traffic Isolation

Paul Bryant

9 months ago

TL;DR (Quick Summary)

Azure Local NSGs (Network Security Groups) provide a critical foundation for securing hybrid environments. By implementing microsegmentation and traffic isolation, administrators can enforce fine-grained controls over east-west and north-south traffic. This article offers best practices, PowerShell and Bicep examples, and real-world scenarios to strengthen your Azure Local SDN security posture.

Introduction

In hybrid environments powered by Azure Local (formerly Azure Stack HCI), network security is a top priority. With workloads distributed across virtualized infrastructure and edge deployments, managing traffic flow becomes complex. Azure Local NSG rules offer a powerful solution for segmenting traffic and enforcing security policies without the overhead of traditional firewalls.

This article dives into NSG implementation strategies that support zero-trust architectures through microsegmentation and workload isolation.

What Are NSG Rules in Azure Local?

NSG rules in Azure Local act as distributed firewall controls, allowing or denying traffic to network interfaces (NICs) and subnets based on:

Direction: Inbound or outbound
Protocol: TCP, UDP, or Any
Port range: Specific or range-based
Priority: Rules are processed in order from lowest number to highest
Action: Allow or Deny

Unlike Azure public cloud, Azure Local NSGs operate within your on-premises SDN fabric, offering a low-latency, highly controllable layer of protection.

Microsegmentation with Azure Local NSGs

Microsegmentation isolates workloads by enforcing security policies at the smallest unit — often the VM or NIC level.

Benefits:

Prevents lateral movement from compromised VMs
Reduces attack surface by locking down internal traffic
Supports layered defenses in multi-tier apps

Diagram Placeholder:

NSG Rule Design: Best Practices

#	Best Practice	Description
1	Deny-by-default	Always end with a deny-all rule to ensure explicit access control
2	Tier-based segmentation	Isolate app tiers (web, app, DB) using subnet-level NSGs
3	Avoid wildcards	Be specific with ports and protocols to minimize risk
4	Use naming conventions	e.g., `NSG-Web-Tier-01`, `Rule-Allow-HTTP-App01`
5	Enable flow logs	Audit and troubleshoot traffic with NSG Flow Logs via Azure Monitor
6	Separate control/user traffic	Assign distinct subnets/NSGs for mgmt vs. app workloads
7	Document rule intent	Use tags and descriptions for operational clarity

Common Use Cases for Azure Local NSGs

3-Tier Applications: Enforce access only from frontend to backend
Multi-Tenant Environments: Segment customer workloads
Domain Controller Protection: Isolate AD services from general traffic
Secure Jump Boxes: Limit RDP/SSH access to specific IPs

PowerShell Example: Create and Apply NSG

# Create NSG
New-AzNetworkSecurityGroup -Name "NSG-Web" -ResourceGroupName "RG-HCI" -Location "localregion"

# Add Inbound Rule for HTTPS
$nsg = Get-AzNetworkSecurityGroup -Name "NSG-Web" -ResourceGroupName "RG-HCI"
$rule = Add-AzNetworkSecurityRuleConfig -Name "Allow-HTTPS" `
    -NetworkSecurityGroup $nsg `
    -Direction Inbound -Priority 100 -Protocol Tcp `
    -SourceAddressPrefix * -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange 443 `
    -Access Allow

# Apply to subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet `
    -Name "FrontendSubnet" -AddressPrefix "10.0.1.0/24" -NetworkSecurityGroup $nsg

Bicep Template: Define Microsegmented NSG

resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {
  name: 'nsg-app-tier'
  location: resourceGroup().location
  properties: {
    securityRules: [
      {
        name: 'Allow-SQL-From-WebTier'
        properties: {
          priority: 200
          direction: 'Inbound'
          access: 'Allow'
          protocol: 'Tcp'
          sourceAddressPrefix: '10.0.1.0/24'
          destinationPortRange: '1433'
          destinationAddressPrefix: '*'
          sourcePortRange: '*'
        }
      }
    ]
  }
}

Real-World Example: Secure 3-Tier App with NSGs

Scenario: You are hosting a 3-tier application with subnets:

FrontendSubnet → Web Tier
AppSubnet → Application Logic
DBSubnet → SQL Backend

NSG Rule Summary:

Web Tier: Allow TCP:443 from Internet
App Tier: Allow TCP:8080 from Web Tier subnet
DB Tier: Allow TCP:1433 from App Tier only

Visual Placeholder:

Gotchas to Avoid

❌ Wildcard Rules: Opening 0.0.0.0/0 to all ports creates serious risk
❌ Conflicting Priorities: Misordered rules override intended logic
❌ Missing Logs: Lack of diagnostics makes troubleshooting difficult

Summary and Key Takeaways

NSGs in Azure Local are vital for enforcing zero-trust security
Microsegmentation reduces attack surfaces
Use tiered rule designs with logging and documentation
PowerShell and Bicep can automate deployment and compliance

Final Thoughts: As hybrid deployments grow, leveraging NSGs for microsegmentation is no longer optional — it’s essential. Consistently applying security policy through infrastructure-as-code tools like PowerShell and Bicep ensures both scalability and compliance. Start small with foundational rules, audit often, and evolve your rule sets as your infrastructure matures.

*The thoughts and opinions in this article are mine and hold no reflect on my employer*