A Network Security Group (NSG) in Azure is a way to activate a rule or access control list (ACL) that allows or denies network traffic to virtual machine instances in a virtual network. NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all virtual machine instances of that subnet.

NSGs contain security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. Each rule specifies properties such as name, priority, source and destination, port, and protocol. For inbound traffic, Azure processes the rules in a network security group associated with a subnet first, if theres one, and then the rules in a network security group associated with the network interface, if theres one. For outbound traffic, Azure processes the rules in a network security group associated with a network interface first, if theres one, and then the rules in a network security group associated with the subnet, if theres one.

NSGs can be managed using the Azure Portal, Azure PowerShell, or Azure CLI. They can be used to filter network traffic to and from Azure resources in an Azure virtual network.