Azure Network Security Groups (NSGs) are essential for controlling network traffic within Azure virtual networks. They consist of security rules that determine whether to allow or deny both inbound and outbound traffic for various Azure resources. Each rule has specific properties, including a unique name, priority (ranging from 100 to 4096), source and destination addresses, protocol types, direction, port ranges, and the action to take. Rules are processed based on priority, where lower numbers have precedence. Once traffic matches a rule, further processing stops, which means higher-priority rules can override lower ones. Azure provides default security rules with predefined priorities. For inbound traffic, these include allowing traffic from the Virtual Network and Azure Load Balancer, while denying all other inbound traffic by default. Outbound rules similarly allow traffic within the Virtual Network and to the Internet, while also denying all other outbound traffic. These default rules cannot be removed but can be overridden by user-defined rules with higher priority numbers. An important feature of NSGs is their stateful nature. If a connection is already established, removing a rule won't disrupt existing connections, but it will block new ones. For example, if SSH traffic is allowed and a rule permitting it is deleted, ongoing sessions remain intact, but new connection attempts will fail. Limits are in place for the number of rules, and augmented security rules allow more complex configurations by combining multiple ports and IP addresses into single rules, streamlining management and reducing the number of individual rules needed.