Reputation:
Do AWS Security Group and Azure Network Security Group work the same way?
I designed an architecture to be mainly hosted in AWS, but some of our customers are demanding that for working with them, we must deploy to Azure as well.
I think the logic behind the infrastructure is the same, i.e. the traffic is received by load balancers which then forward the traffic to the instances behind them.
The problem I'm seeing is that I'm not sure if AWS Security Groups and Azure NSG are "interchangeable", meaning that they work exactly the same way, so I can just "dump" the same AWS config to Azure. AFAIK, Security Groups in Amazon are kind of a host-based firewall, defining rules for each instance. However, I'm reading Azure docs, and it looks like NSG covers a wider area, not only instance-level but also ACLs to subnets and more.
So basically the question is: is there any simple way of translating AWS Security Group configuration to Azure NSG? Is it even possible?
I've found this old question but when it was asked, Azure NSG weren't available.
Upvotes: 4
Views: 5313
Answers (3)
Reputation: 41
One other difference I want to point out -- My experience of working with RHEL VMs on both of the clouds.
With AWS Security groups (kind of firewalls to the VMS), you don't need to open the ports on the VM itself.
For Azure, you have to open the ports at the VM level even when you have allowed traffic on a given port in the NSG. So in this way, I consider NSG is one layer above the Security if you would want to compare them.
Please see below link for more information.
Thanks, Murali
Upvotes: 0
Reputation:
After a month using both, I think I know the answer.
Both AWS SG and Azure NSG work the same way when applied to an instance (EC2 in AWS, VM in Azure). In Azure's GUI, there is a place where the name of the VM has a shield logo, and clicking on it I can define the inbound and outbound rules like I would do in AWS Security Groups.
There is a slightly different and it's that in Azure you have less control of the traffic, with only three possible options:
- Allow Internet
- Allow Load Balancer to VM
- Allow between VMs
By contrast, in AWS you can specifically control which instances can connect to other instances because you can use the Security Group ID as the source/destination of the rules. In Azure, in order to have so fine-grained control, you need to use the VMs IP, but if you scale up, you need to add more rules to the ruleset which each specific IP, which is not so much usable in an autoscaling setup.
Upvotes: 6
Reputation: 170
They are very similar but have some nuances to them. For example, AWS does not allow all traffic within the VNET by default, whereas Azure NSGs allow all traffic between VMs in the VNET. Unfortunately, I don't have a guide for translating from one to the other. The best reference for Azure NSGs: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/. This documents those default inbound and outbound rules, too.
Upvotes: 1
Related Questions
- How do I stop my AWS Security Group being invalid?
- Azure associating security group with multiple network interfaces and load balancer with multiple subnets using Terraform
- Does the Domain-list rule groups in AWS Network Firewall applies for inbound traffic?
- Azure Storage Network Security Group
- Does Azure charge for incoming traffic which is blocked by Network Security Group (NSG) firewall rules?
- The difference between the 'Local System' account and the 'Network Service' account?
- Using shared security group between VPC and EC2
- Azure network security group and Application Gateway
- AWS: A default security group with no rules?