Share via

For Azure NSG stateful firewall, what is/are the value(s) used to match a packet to a session?

Gene Poon, Heung Chun - HKSS 20 Reputation points
2025-08-25T04:33:17.75+00:00

For Azure NSG stateful firewall, what is/are the value(s) used to match a packet to a session? All the following values --> Protocol + Source IP + Source Port + Destination IP + Destination Port + TCP Session ID ?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
0 comments
Accepted answer
  1. Andreas Baumgarten 126K Reputation points MVP Volunteer Moderator
    2025-08-25T06:53:25.6966667+00:00

    Hi @Gene Poon, Heung Chun - HKSS ,

    the Azure NSG is stateful:

    Network security groups (NSGs) are simple, stateful packet inspection devices. NSGs use the 5-tuple approach (source IP, source port, destination IP, destination port and protocol) to create allow/deny rules for network traffic.

    Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#logically-segment-subnets

    The state is recorded in flow records for each session internally in the NSG. But there are no exact details available, or at least I haven't found them, what kind of properties/attributes are in a flow record.

    A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful.

    Source: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Priya ranjan Jena 265 Reputation points Microsoft External Staff Moderator
    2025-08-25T06:44:48.26+00:00

    Hi Gene Poon, Heung Chun - HKSS,

    Thank you for reaching out on Microsoft Q&A forum.

    Clarification to your query:

    In Azure, a stateful firewall matches packets using the five-tuple approach, that includes:

    1. Source IP Address
    2. Destination IP Address
    3. Protocol (like TCP, UDP, etc.)
    4. Source Port
    5. Destination Port

    TCP Session ID isn't typically part of the five-tuple matching used by NSGs, the stateful nature of the NSG means it can track connections based on these parameters above for managing established sessions effectively which eliminates the need for explicit TCP session IDs in the security rules.

    If you find this answer helpful, Please “up-vote” for the information provided & accept the answer, this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.