Azure Network Security Groups


This topic describes how to create and change Network Security Groups for an AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. account in CloudGuard. The account must be in Manage mode.

You can create NSGs for each region or resource group in your Azure account.

  1. In the CloudGuard portal, navigate to Network Security > Policy > Security Groups.

  2. Select the Azure account and click .

  3. Enter a name and description for the Security GroupClosed A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic..

    The new NSG is created with default rules:

This procedure describes how to set an Azure environment in CloudGuard to Managed mode. You have to start with Onboarding Azure Subscriptions to CloudGuard.

In Managed mode, you can manage the Security Groups for the account from CloudGuard.

  1. In the Assets menu, navigate to the Environments page.

  2. Select the Azure environment.

  3. In the toolbar, move the switch from Read only to Managed.


  4. A confirmation message opens. Click Switch.

  5. Click OK to affirm the change.

    Note - You can switch the environment back to Read-Only. In this mode, you cannot set Security Groups from CloudGuard.

You can change details for an Azure NSG in CloudGuard. The NSG must be in Manage mode. You can add, remove, or change rules for the NSG.

  1. Navigate to the Security Groups page in Network Security. It shows your Security Groups, for all your environments.

  2. Click the Azure NSG of interest from the list.

  3. Click Edit Mode.

  4. Select Click to add new rule.

  5. Enter details for the rule.

    For example, add an SSH rule:

    Set the parameters for the Security Group:

    Service Type - Contains a list of predefined services, and type selection automatically fills most of the required fields.

    Action - Deny or Allow - Type of access to apply if the rule matches.

    Priority - Rules are checked in order of priority. When a rule applies, no more rules are tested for matching.

    Protocol - TCP, UDP, or *.

    Destination Port Range - Destination port range to match the rule.

    Destination Type - Source address prefix or tag to match the rule.

    Name - Name for the rule.

    For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg.

  6. When the NSG contains several rules, you can drag the new rule and place it between other rules.

    Note - You can Drag or Click to add new rule between rules to create a rule directly at that location.

  7. Click Save Changes.

You can apply Tamper Protection to an Azure Security Group. Tamper Protection detects not approved changes made to the Security Group, that is, changes not made in CloudGuard, and resets them to the settings you configure in CloudGuard.

You can only apply Tamper Protection to Azure NSGs in an account that is Managed.

  1. Navigate to the Security Groups page in Network Security. It lists your Security Groups, for all your environments.

  2. Click the Azure NSG of interest from the list.

  3. Move Tamper Protection to On.

  4. In the confirmation message, click Confirm.