5.1 Network Security Groups (NSGs) and ASGs
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is a Network Security Group (NSG)?
A Network Security Group (NSG) is an Azure resource that controls inbound and outbound network traffic to Azure resources.
It works like a firewall at the network layer. It allows or denies traffic based on rules that you define.
NSGs are used with:
- Virtual Machines (VMs)
- Subnets inside a Virtual Network (VNet)
- Azure network interfaces (NICs)
In simple words:
NSG = A set of security rules that control which traffic is allowed or blocked.
2. Why NSGs Are Important in Real IT Environments
In an organization:
- You may have web servers, application servers, and database servers.
- You must allow users to access web servers.
- You must block direct access to database servers.
- You must allow application servers to talk to database servers.
NSGs help you:
- Control which systems can communicate
- Reduce attack surface
- Protect internal resources
- Implement network segmentation
3. How NSGs Work
An NSG contains:
- Security rules
- Each rule allows or denies traffic
NSGs filter traffic based on:
- Source IP address
- Source port
- Destination IP address
- Destination port
- Protocol (TCP, UDP, Any)
- Direction (Inbound or Outbound)
Traffic is evaluated against rules in priority order.
4. NSG Rule Components (Very Important for Exam)
Each NSG rule has:
1. Name
Unique rule name.
2. Priority
- Number between 100 and 4096
- Lower number = higher priority
- Rules are processed in ascending order
Example:
- Priority 100 is checked before 200.
3. Direction
- Inbound (traffic coming into resource)
- Outbound (traffic leaving resource)
4. Protocol
- TCP
- UDP
- Any
5. Source
Can be:
- IP address (10.0.0.0/24)
- Any
- Service tag
- Application Security Group (ASG)
6. Source Port
Usually:
-
- (any)
7. Destination
- IP address
- Any
- Service tag
- ASG
8. Destination Port
Example:
- 80 (HTTP)
- 443 (HTTPS)
- 22 (SSH)
- 3389 (RDP)
9. Action
- Allow
- Deny
5. Default Security Rules (Exam Important)
Every NSG automatically contains default rules.
You cannot delete these default rules, but you can override them with higher priority custom rules.
Default Inbound Rules
| Priority | Rule Name | Action |
|---|---|---|
| 65000 | AllowVNetInBound | Allow |
| 65001 | AllowAzureLoadBalancerInBound | Allow |
| 65500 | DenyAllInBound | Deny |
Default Outbound Rules
| Priority | Rule Name | Action |
|---|---|---|
| 65000 | AllowVNetOutBound | Allow |
| 65001 | AllowInternetOutBound | Allow |
| 65500 | DenyAllOutBound | Deny |
Important:
- By default, all inbound internet traffic is blocked.
- By default, outbound internet traffic is allowed.
For the exam, remember:
Custom rules must have priority between 100 and 4096.
6. Where Can You Associate an NSG?
An NSG can be associated with:
1. Subnet Level
When applied to a subnet:
- It applies to all VMs inside that subnet.
2. Network Interface (NIC) Level
When applied to a VM’s NIC:
- It applies only to that specific VM.
7. What Happens if NSG is Applied at Both Subnet and NIC?
Very important for AZ-700.
If NSG is applied at both:
- Traffic must pass BOTH NSGs.
- If one denies traffic → traffic is denied.
This is called combined rule evaluation.
8. Steps to Create a Network Security Group (Azure Portal)
Step 1: Go to Azure Portal
Search for Network security groups
Step 2: Click “Create”
Provide:
- Subscription
- Resource Group
- NSG Name
- Region
Click Review + Create
Click Create
9. How to Associate NSG to a Subnet
- Go to NSG
- Click Subnets
- Click Associate
- Select:
- Virtual Network
- Subnet
Click OK
10. How to Associate NSG to a VM (NIC)
- Go to VM
- Click Networking
- Select Network Interface
- Click Network Security Group
- Choose NSG
11. Creating Security Rules (Practical Example)
Example IT scenario:
You have:
- Web server VM
- It should allow HTTPS traffic from internet
- Block everything else inbound
You create:
Rule 1:
- Priority: 100
- Direction: Inbound
- Source: Any
- Destination Port: 443
- Protocol: TCP
- Action: Allow
Everything else will be denied by default DenyAllInBound rule.
12. Service Tags (Exam Very Important)
Instead of using IP addresses, you can use Service Tags.
Service Tags represent groups of IP addresses managed by Azure.
Common service tags:
- VirtualNetwork
- Internet
- AzureLoadBalancer
- Storage
- Sql
- AppService
Benefits:
- Automatically updated by Azure
- No need to manually update IP ranges
13. Application Security Groups (ASGs)
Although this sub-topic focuses on creating NSGs, AZ-700 expects you to understand ASGs.
ASGs allow you to group VMs logically.
Instead of writing IP addresses, you reference ASG names in NSG rules.
Example:
- ASG-WebServers
- ASG-DatabaseServers
Then create rule:
- Source: ASG-WebServers
- Destination: ASG-DatabaseServers
- Port: 1433
- Action: Allow
This simplifies management.
14. Important NSG Behavior for Exam
1. NSGs are stateful
If inbound traffic is allowed:
- The response traffic is automatically allowed.
- You do not need to create an outbound rule for return traffic.
2. NSGs operate at Layer 4
They filter based on:
- IP
- Port
- Protocol
They do not inspect application data.
3. NSGs do not filter:
- DNS traffic within Azure default DNS
- Traffic within same VM using loopback
15. Monitoring and Troubleshooting NSGs
Important tools:
- NSG Flow Logs (via Network Watcher)
- IP Flow Verify
- Effective security rules (on NIC)
Effective Security Rules
Shows:
- Combined rules from subnet NSG + NIC NSG
- Helps in troubleshooting
16. Best Practices for NSGs (Exam Oriented)
- Use least privilege principle
- Use ASGs instead of IP addresses
- Avoid overly broad rules like:
- Source: Any
- Destination: Any
- Port: *
- Use clear rule naming convention
- Use subnet-level NSGs for common rules
- Use NIC-level NSGs for specific VM rules
17. Common Exam Scenarios
You may see questions like:
- Traffic is blocked even though rule exists → Check priority.
- NSG applied to subnet and NIC → Which rule applies?
- How to allow only application servers to talk to database?
- Why is traffic denied even though rule exists? → Lower priority deny rule may be matched first.
Always check:
- Direction
- Priority
- Source
- Destination
- Port
- Association level
18. Difference Between NSG and Azure Firewall (Quick Comparison)
NSG:
- Basic traffic filtering
- Layer 4
- Free (no additional cost)
- Applied to subnets/NICs
Azure Firewall:
- Advanced filtering
- Layer 7 support
- Centralized
- Paid service
For AZ-700, know when NSG is sufficient.
19. Key Points to Remember for AZ-700
- Priority range: 100–4096
- Lower number = higher priority
- Default rules cannot be deleted
- NSGs are stateful
- Can associate with subnet and NIC
- Service tags simplify rule management
- ASGs simplify grouping of VMs
- Both subnet and NIC NSGs must allow traffic
- Default inbound is deny
- Default outbound allows internet
Final Summary
A Network Security Group (NSG) in Microsoft Azure is a fundamental security component used to control traffic in a Virtual Network.
To pass the AZ-700 exam, you must understand:
- What NSGs are
- How rules are structured
- How priority works
- Default rules
- Association levels
- Stateful behavior
- Service tags
- Application Security Groups
- Troubleshooting using effective rules
If you understand these clearly, you will confidently handle any NSG-related question in the AZ-700 exam.
