Azure NSG Rule Linter

About This Tool

Azure Network Security Groups (NSGs) filter traffic to and from Azure resources within a virtual network using priority-based rules that are evaluated in order from lowest to highest number. Unlike AWS security groups, NSGs support both allow and deny rules, and rule priority conflicts can produce unexpected behavior where a lower-priority allow is overridden by a higher-priority deny or vice versa. This linter analyzes your NSG rules for common security issues including unrestricted inbound access from the Internet service tag, overly broad port ranges, conflicting rules at different priorities, and missing deny-all rules at the end of your rule set.

When to Use This Tool

• •Auditing NSG configurations against Azure CIS Benchmark requirements before compliance assessments
• •Detecting rules that allow inbound SSH (22) or RDP (3389) from the Internet service tag, which violates most security baselines
• •Identifying priority conflicts where a permissive low-priority rule is unintentionally overridden by a restrictive high-priority rule
• •Validating that NSG rule sets include explicit deny-all rules at the highest priority numbers to establish a default-deny posture

Frequently Asked Questions

How does Azure NSG rule priority evaluation work?

Azure evaluates NSG rules in ascending priority order (100 is evaluated before 200). The first matching rule determines whether traffic is allowed or denied — subsequent rules are not evaluated. Azure reserves priorities 65000-65500 for default rules (AllowVnetInbound, AllowAzureLoadBalancerInbound, DenyAllInbound). User-defined rules must use priorities between 100 and 4096. This priority-based evaluation means rule ordering matters significantly for security.

What is the difference between Azure NSGs and AWS Security Groups?

Azure NSGs support both allow and deny rules with explicit priority ordering, while AWS Security Groups only support allow rules with implicit deny. NSGs can be applied to both subnets and individual NICs (with cumulative evaluation), while AWS Security Groups attach only to instances. NSGs are stateful like Security Groups, but Azure also has stateless options through Azure Firewall or UDR-based appliances.

Can NSGs reference Azure service tags in rules?

Yes. Service tags like Internet, VirtualNetwork, AzureLoadBalancer, and service-specific tags like Storage, Sql, and AzureActiveDirectory represent groups of IP address prefixes managed by Microsoft. Using service tags instead of hard-coded IP ranges ensures your rules automatically stay current as Azure updates its IP ranges. The linter checks whether your rules use service tags appropriately.