We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Cloud Security Guardian

Network Security Group Management

  • Last updated on

You can manage Network Security Group (NSG) policies in Barracuda Cloud Security Guardian. An NSG policy contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. This is used to control traffic in the network. 

This functionality currently applies to Azure environments. 

Creating Shared Network Security Group Policies

To create a shared NSG policy:

  1. Log into your Barracuda Cloud Security Guardian account.
  2. From the menu, navigate to Policy Management > Network Security Groups.
  3. On the Network Security Group Policies page, click Add Shared Policy.
  4. In the wizard, provide the following information:
    1. Policy Name – Create a unique name for this shared NSG policy.
    2. Account – Select the cloud provider account that contains the NSGs for the policy. 
      Note that currently, this functionality supports Microsoft Azure accounts. 
    3. Network Security Group – Select one or more groups to comprise the Network Security Group policy. Alternatively, click Select All to include all of your existing groups. 
  5. Click Add
    The new Shared Policy appears in the Network Security Group Policies page. 

Managing Shared Network Security Group Policies

Adding an NSG to a Policy

You can add an NSG to an existing policy at any time.

To add an NSG to an existing policy:

  1. In the Network Security Group Policies table, locate the appropriate policy. 
  2. Click the three dots at the end of the row and select Add NSG.
  3. Select the Account and NSG, then click Add
NSG in Only One Policy

Each Network Security Group can be associated with only one shared NSG policy. An NSG that is already assigned to a shared policy is not visible in the selection menu when you want to add NSGs to a new or existing policy. 

To reassign an NSG to a different policy:

Option 1: Moving the NSG

  1. In the Network Security Group Policies table, locate the NSG under its current policy.
  2. Click the three dots at the end of the row and select Move.
  3. In the Move Network Security Group window, select the policy to which you want to relocate the NSG.
  4. Click Save Changes.

The Network Security Group now appears under the policy you just specified. 

Option 2: Removing then Adding the NSG

  1. In the Network Security Group Policies table, locate the NSG under its current policy.
  2. Click the three dots at the end of the row and select Remove.
    Note that removing an NSG from a policy does not delete the NSG itself. This action removes the assignment of the NSG to the policy.
  3. In the dialog that appears, confirm that you want to remove the NSG. 
  4. Add the NSG to any other policy, as described above.
Editing a Shared NSG Policy Name

After you create a shared NSG policy, you can only edit the shared group policy name.

  1. In the Network Security Group Policies table, locate the shared policy.
  2. Click the three dots at the end of the row and select Edit.
  3. Change the policy name and click Save Changes.

Shared Rules and Local Rules

Shared rules apply to all of the NSGs in a policy. You create shared rules within the shared NSG policy and they are listed with the shared NSG policy.

Local rules apply only to individual NSGs and are defined per NSG. You can define the rules for an NSG within the shared NSG policy. 

If you move an NSG from one shared policy to another, it brings both its own local rules with it, along with the shared rules from the shared NSG policy it is leaving.

Specifying Shared Rules

To specify shared rules for a policy:

  1. In the Network Security Group Policies table, locate the appropriate policy. Click Shared Rules at the far right of the corresponding row.
  2. In the Network Security Group Policy window, specify all of the following information:
    • Name – A unique name for this policy.
    • Priority – The order in which to apply this policy. Lower numbers are applied before other policies. As soon as a policy is matched, it is processed, and other policies are not used. Consider creating Priority values in increments of 10 or 100, so renumbering them is easier. Barracuda recommends assigning shared policies with higher priority values than local rules, so shared rules are applied after local rules.
    • Direction – Whether the policy applies to Inbound or Outbound traffic.
    • Protocol – Select the protocol for this policy. Options include: * (any protocol), TCP, UDP, and ICMP.
    • Source IP/Ports – Select the source IP and ports to use for this policy. You can specify ports as one specific number, * for any port, or ranges like 200-300 or 88-99, 200.
    • Destination IP/Ports – Select the destination IP and ports to use for this policy. 
    • Access – Specify whether this policy is for Allow or Deny access.
  3. Click Add.
  4. To add another rule, repeat this process. 
  5. When you have finished, click Save.
  6. The shared rules are listed by your shared policy.
Specifying Local Rules

To specify local rules for a policy:

  1. In the Network Security Group Policies table, locate the single NSG to which you want to apply local rules. Click Local Rules at the far right of the corresponding row.
  2. In the Network Security Group Policy window, specify all of the following information:
    • Name – A unique name for this policy.
    • Priority – The order in which to apply this policy. Lower numbers are applied before other policies. As soon as a policy is matched, it is processed, and other policies are not used. Consider creating Priority values in increments of 10 or 100, so renumbering them is easier. Barracuda recommends assigning local policies priorities with lower numbers, so they are applied before shared policies.
    • Direction – Whether the policy applies to Inbound or Outbound traffic.
    • Protocol – Select the protocol for this policy. Options include: * (any protocol), TCP, UDP, and ICMP.
    • Source IP/Ports – Select the source IP and ports to use for this policy. You can specify ports as one specific number, * for any port, or ranges like 200-300 or 88-99, 200.
    • Destination IP/Ports – Select the destination IP and ports to use for this policy. 
    • Access – Specify whether this policy is for Allow or Deny access.
  3. Click Add.
  4. To add another rule, repeat this process. 
  5. When you have finished, click Save.
    The local rules are listed in the same row as your network security group.
Editing Local Rules

You can edit a local rule at any time.

To edit a local rule:

  1. In the Network Security Group Policies table, locate the single NSG with the local rule you want to rename. Click Local Rules at the far right of the corresponding row.
  2. Locate the rule you want to rename. In its row, click the pencil Edit button. 
  3. Change one or more attributes of the rule.
  4. Click Save.
Unique Rule Names

Rule names must be unique within a Network Security Group policy. Barracuda Cloud Security Guardian will not allow you to create a second rule with a name that already exists within the same network security group. It is possible to have a rule with the same name in two different Network Security Groups. If you move an NSG from one shared policy group to another group, the NSG brings its rules with it, so there is a chance there could be two rules with identical names. In this case, Barracuda Cloud Security Guardian allows the to identically named rules to exist in the same policy. If you choose, you can read more about how this works. It is transparent to you unless you log directly into the Azure portal. 

If you have more than one rule with the same name within an NSG, you will not notice anything out of the ordinary within Barracuda Cloud Security Guardian. The two rules will coexist, so be sure you can differentiate between the rules. You will only notice something  if you log into the Azure portal directly.  To help Azure keep track of your policies, Barracuda Cloud Security Guardian appends a suffix to the end of the rule name in Azure for each subsequent, identically named rule moved into that group. This is similar to downloading multiple text files with the same name, where the first download is called filename.txt  and subsequent downloads are named filename(1).txt and filename(2).txt . So you might see InboundRule, InboundRule1, and InboundRule2, if you log directly into your Azure portal.

Last updated on