Use Network Security Groups for Azure Cache for Redis Servers

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Cache for Redis servers are configured to use Network Security Groups (NSGs). NSGs provide an additional layer of security for Redis cache servers deployed inside a virtual network (VNet) by controlling network traffic. This helps to protect your cache servers from unauthorized access and potential attacks by limiting inbound and outbound connections.

Security

Using Network Security Groups to control traffic to and from Azure Cache for Redis servers is important for the following reasons:

Traffic Filtering: NSGs act as a virtual firewall, enabling you to filter both inbound and outbound traffic based on defined security rules. This reduces the attack surface by restricting access to only trusted sources or destinations.
Isolation and Segmentation: NSGs allow you to isolate and segment your cache servers from other resources in the network, ensuring that only authorized traffic can communicate with them. This improves the overall security posture of your Azure cloud environment.
Compliance and Security Policies: By using NSGs, you can enforce organizational security policies, ensuring that your applications meet regulatory or compliance requirements by controlling the flow of data and limiting unauthorized access.
Mitigating Threats: Controlling traffic with NSGs helps prevent common network-based attacks such as Distributed Denial-of-Service (DDoS), port scanning, or unauthorized access attempts, enhancing the app's resilience against external threats.

Overall, Network Security Groups (NSGs) provide robust protection for your Azure Cache for Redis servers by effectively shielding them from unauthorized access and malicious attacks.

Network Security Groups (NSGs) can be implemented for Azure Cache for Redis servers available in the Premium tier.

Audit

To determine if your Azure Cache for Redis servers are configured to use Network Security Groups (NSGs), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 From the Add filter box, choose SKU for Filter, select Equals, choose Premium for Value, and select Apply to list only the Azure Cache for Redis servers available in the Premium tier.

06 Click on the name (link) of the Redis cache server that you want to examine.

07 In the resource navigation panel, under Settings, select Virtual Network to access the virtual network (VNet) integration information such as VNet name, subnet name, and IP address, available for the selected cache server.

08 If there are no VNet integration information available on the Virtual Network page, the selected Redis cache server is not running within an Azure virtual network (VNet) and the Audit process ends here. If VNet integration information is available, copy the name of the VNet subnet listed under Subnet, then click on the name (link) of the associated virtual network, listed under Virtual Network.

09 In the VNet resource navigation panel, under Settings, select Subnets, and paste the name of the subnet copied in the previous step into the Search subnets box to find the VNet subnet configured for your cache server.

10 Click on the name (link) of the VNet subnet you've identified and check the Network security group setting available in the Security section. If Network security group is set to None, the associated Microsoft Azure Cache for Redis server is not configured to use Network Security Groups (NSGs).

11 Repeat steps no. 6 - 10 for each Azure Cache for Redis server deployed in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom query filters to list the name, the associated resource group, and the tier for each Azure Cache for Redis server available in the selected subscription:

az redis list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup, SKU:sku.name}'

05 The command output should return the requested cache server information (including the tier name, i.e., SKU value):

Name                      ResourceGroup                   SKU
-----------------------   ------------------------------  --------
cc-project5-redis-cache   cloud-shell-storage-westeurope  Premium
cc-webapp-cache-server    cloud-shell-storage-westeurope  Standard

06 Run redis show command (Windows/macOS/Linux) with custom output filters to describe the ID of subnet configured for virtual network (VNet) integration with the selected Azure Cache for Redis server:

az redis show
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--query '{"subnetId":subnetId}'

07 The command output should return the ID of the associated VNet subnet. If the command output returns null for the "subnetId" attribute, the selected Redis cache server is not running inside an Azure virtual network (VNet) and the Audit process ends here. Otherwise, you can continue the Audit process with the next step:

{
	"subnetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001"
}

08 Run resource show command (Windows/macOS/Linux) to describe the Network Security Group (NSG) configured for the virtual network (VNet) subnet associated with your cache server, returned at the previous step:

az resource show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001"
	--query '{"NetworkSecurityGroup":properties.networkSecurityGroup}'

09 The command output should return the requested NSG configuration information:

{
	"NetworkSecurityGroup": null
}

If the resource show command output returns null for the "NetworkSecurityGroup" configuration attribute, as shown in the output example above, the associated Microsoft Azure Cache for Redis server is not configured to use Network Security Groups (NSGs).

10 Repeat step no. 6 - 9 for each Azure Cache for Redis server available within the current Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure Network Security Groups (NSGs) for your Microsoft Azure Cache for Redis servers, perform the following operations:

To be able to control network traffic with Network Security Groups, virtual network (VNet) integration must be enabled for your Azure Cache for Redis servers. VNet integration allows Redis cache servers to securely access resources within an Azure virtual network, such as virtual machines, by connecting to the VNet. This guide assumes that VNet integration is enabled for your Azure Cache for Redis servers.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network security groups blade available at https://portal.azure.com/#browse/Microsoft.Network%2FNetworkSecurityGroups.

03 Choose + Create and perform the following actions to create a new Network Security Group (NSG) for your Azure Cache for Redis server:

For Basics, provide the following information:
1. For Subscription, choose your Azure subscription.
2. For Resource group, select the correct resource group.
3. Provide a unique name for the new Network Security Group in the Name box.
4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
5. Choose Next : Tags > to continue the setup.
For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the Azure resource. Choose Next : Review + create > to validate the NSG setup.
For Review + create, review the resource configuration details, then choose Create to create your new Azure Network Security Group (NSG).

04 Once your new NSG is available, choose Go to resource to access the NSG inbound and outbound configuration.

05 In the resource navigation panel, under Settings, choose Inbound security rules, select + Add, and perform the following actions to create a new inbound rule:

For Source choose IP Addresses to allow inbound traffic from specified IP addresses only.
For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the cache server associated with the selected Network Security Group. You can also provide a comma-separated list of IP addresses or address ranges.
For Destination port ranges, provide a single port such as 6380 (client communication to Redis cache) or a comma-separated list of single ports such as 6379 and 6380. This specifies on which port(s) the inbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g. TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the inbound rule in the Name box.
Choose Add to create your new NSG inbound rule.

06 In the navigation panel, under Settings, choose Outbound security rules, select Add, and perform the following operations to create a new outbound rule:

For Destination choose IP Addresses to allow outbound traffic to specified IP addresses only.
For Destination IP addresses/CIDR ranges, provide the IP address, IP addresses or IP address ranges for the outgoing traffic, allowed by this rule.
For Destination port ranges, provide a single port such as 6380 (HTTPS) or a comma-separated list of single ports such as 6379 and 6380. This specifies on which port(s) the outbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g. TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the outbound rule in the Name box.
Choose Add to create your new NSG outbound rule.

07 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

08 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

09 From the Type equals all filter box, choose Equals, select Virtual network, and choose Apply to list the Azure virtual networks (VNets) available in the selected subscription.

10 Click on the name (link) of the virtual network (VNet) configured your Premium Azure Cache for Redis server through VNet integration.

11 In the VNet resource navigation panel, under Settings, select Subnets.

12 Click on the name (link) of the VNet subnet associated with your Redis cache server.

13 In the Security section, select the Network Security Group (NSG) created in step no. 3 from the Network security group dropdown list. Choose Save to apply the configuration changes.

14 Repeat steps no. 2 – 13 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

15 Repeat steps no. 2 – 14 for Azure each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nsg create command (Windows/macOS/Linux) to create a new Network Security Group (NSG) for your Microsoft Azure Cache for Redis server:

az network nsg create
	--name cc-redis-cache-nsg
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--query 'NewNSG.provisioningState'

05 The command output should return the NSG provisioning status:

"Succeeded"

06 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow inbound traffic from known, trusted IP addresses, on specific ports only:

az network nsg rule create
	--name AllowRedisInboundAccess
	--nsg-name cc-redis-cache-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Inbound
	--access Allow
	--protocol Tcp
	--priority 300
	--source-address-prefixes 10.20.30.40/32
	--destination-port-ranges 6380
	--destination-address-prefixes '*'
	--description "Allow inbound traffic on TCP port 6380 (Redis Cache)"

07 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow inbound traffic on TCP port 6380 (Redis Cache)",
	"destinationAddressPrefix": "*",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "6380",
	"destinationPortRanges": [],
	"direction": "Inbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-redis-cache-nsg/securityRules/AllowRedisInboundAccess",
	"name": "AllowRedisInboundAccess",
	"priority": 300,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "10.20.30.40/32",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

08 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow outbound traffic to known, trusted IP addresses, on specific ports only:

az network nsg rule create
	--name AllowRedisOutboundAccess
	--nsg-name cc-redis-cache-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Outbound
	--access Allow
	--protocol Tcp
	--priority 500
	--source-address-prefixes '*'
	--destination-port-ranges 6380
	--destination-address-prefixes 10.20.30.40/32
	--description "Allow outbound traffic on TCP port 6380 (Redis Cache)"

09 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow outbound traffic on TCP port 6380 (Redis Cache)",
	"destinationAddressPrefix": "10.20.30.40/32",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "6380",
	"destinationPortRanges": [],
	"direction": "Outbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-redis-cache-nsg/securityRules/AllowRedisOutboundAccess",
	"name": "AllowRedisOutboundAccess",
	"priority": 500,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "*",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

10 Run redis show command (Windows/macOS/Linux) with custom output filters to describe the ID of subnet configured for virtual network (VNet) integration with the specified Azure Cache for Redis server:

az redis show
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--query '{"subnetId":subnetId}'

11 The command output should return the ID of the associated VNet subnet:

{
	"subnetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001"
}

12 Run network vnet subnet update command (Windows/macOS/Linux) to attach the Network Security Group (NSG) created earlier in the Remediation process to the VNet subnet configured for your cache server VNet integration, returned at the previous step:

az network vnet subnet update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001"
	--network-security-group cc-redis-cache-nsg

13 The command output should return the information available for configured VNet subnet:

{
	"addressPrefixes": [
		"10.0.0.0/24"
	],
	"delegations": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001",
	"name": "cc-vnet-subnet-001",
	"networkSecurityGroup": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-redis-cache-nsg",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

14 Repeat steps no. 4 – 13 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

15 Repeat steps no. 3 – 14 for each subscription created within your Microsoft Azure cloud account.

References

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az redis list
az redis show
az resource show
az network nsg create
az network nsg rule create
az network vnet subnet update

Publication date May 12, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related RedisCache rules