5.1 Network Security Groups (NSGs) and ASGs
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is an NSG? (Quick Revision)
A Network Security Group (NSG) is an Azure resource that controls inbound and outbound network traffic using security rules.
NSGs contain:
- Inbound security rules
- Outbound security rules
- Priority numbers
- Allow or Deny actions
- Source and destination definitions
- Port numbers and protocols
NSGs filter traffic at the network layer (Layer 3 and Layer 4).
2. Where Can You Associate an NSG?
For the AZ-700 exam, you must clearly understand:
An NSG can be associated with:
- Subnet
- Network Interface (NIC)
You cannot directly associate an NSG to:
- A Virtual Machine (VM)
- An Application Gateway
- A Load Balancer
- A VNet itself
Instead:
- A VM gets security rules through its NIC
- A group of VMs gets security rules through the subnet
3. Understanding Association to Subnet vs NIC
A. Associate NSG to a Subnet
When you associate an NSG to a subnet:
- The NSG rules apply to all resources inside that subnet
- All VMs and services in that subnet are affected
- It provides centralized control
Example (IT-Based Scenario)
You create:
- A subnet called “WebSubnet”
- Multiple web servers deployed inside it
If you attach an NSG to “WebSubnet”:
- All web servers follow the same rules
- You can allow HTTP (port 80)
- Deny other unwanted ports
This is common in:
- Multi-tier architecture
- Production environments
- Standardized security environments
B. Associate NSG to a Network Interface (NIC)
Each VM has at least one Network Interface (NIC).
When you associate an NSG to a NIC:
- The rules apply only to that specific VM
- You get granular control
- Other VMs in the same subnet are not affected
Example (IT-Based Scenario)
Inside the same subnet:
- 5 web servers exist
- 1 server needs extra management access (port 3389 or 22)
You can:
- Keep subnet NSG general
- Add stricter or different rules on that one VM’s NIC
4. How Traffic Is Evaluated (Very Important for Exam)
If both Subnet NSG and NIC NSG are associated, traffic is processed in this order:
For Inbound Traffic:
- Subnet NSG
- NIC NSG
For Outbound Traffic:
- NIC NSG
- Subnet NSG
Both must allow the traffic.
If either one denies traffic → Traffic is denied.
This is extremely important for AZ-700 exam questions.
5. Steps to Associate an NSG
Method 1: Associate NSG to a Subnet (Azure Portal)
- Go to Virtual Network
- Select Subnets
- Choose the subnet
- Under Network security group
- Select existing NSG
- Click Save
Method 2: Associate NSG to a NIC (Azure Portal)
- Go to Virtual Machine
- Click Networking
- Select the Network Interface
- Under Network security group
- Select an existing NSG
- Click Save
Using Azure CLI
Associate NSG to Subnet:
az network vnet subnet update \
--vnet-name MyVNet \
--name MySubnet \
--resource-group MyResourceGroup \
--network-security-group MyNSG
Associate NSG to NIC:
az network nic update \
--name MyNIC \
--resource-group MyResourceGroup \
--network-security-group MyNSG
Using Azure PowerShell
Subnet Association:
Set-AzVirtualNetworkSubnetConfig
NIC Association:
Set-AzNetworkInterface
You do not need to memorize full syntax for the exam, but you must recognize command purpose.
6. Default Behavior After Association
Once an NSG is associated:
- Rules start applying immediately
- Existing connections are not interrupted
- New traffic flows are evaluated against rules
Important:
NSGs are stateful.
Meaning:
- If inbound traffic is allowed
- The response traffic is automatically allowed
- Even if there is no outbound rule explicitly allowing it
This is a key exam concept.
7. Removing or Changing an Association
You can:
- Replace the NSG
- Remove the NSG completely
- Associate a different NSG
This can be done without deleting the VM or subnet.
Removing an NSG means:
- Only Azure default system rules apply
8. Exam-Specific Scenarios You Must Understand
Scenario 1: Restrict Access to All VMs in a Tier
Correct answer: Associate NSG to the Subnet.
Scenario 2: Apply Special Rule to One VM Only
Correct answer: Associate NSG to NIC.
Scenario 3: Traffic Is Being Blocked
Check:
- Subnet NSG
- NIC NSG
- Rule priority
- Direction (inbound/outbound)
- Default deny rule
Scenario 4: Design Question
If you want:
- Centralized control → Subnet NSG
- Granular control → NIC NSG
Often best practice:
- Use Subnet NSG for standard rules
- Use NIC NSG only when necessary
9. Limitations and Important Notes
- One subnet can have only one NSG.
- One NIC can have only one NSG.
- An NSG can be associated with multiple subnets.
- An NSG can be associated with multiple NICs.
- You cannot associate NSG directly with VNet.
- You cannot associate NSG directly with a VM (only through NIC).
10. Common Mistakes in Exam
❌ Thinking NSG is attached directly to VM
❌ Forgetting evaluation order
❌ Ignoring rule priority
❌ Forgetting NSGs are stateful
❌ Not checking both Subnet and NIC NSGs
11. Design Best Practices for AZ-700
For exam answers, prefer:
✔ Apply NSG at subnet level for layered architecture
✔ Use NIC NSG only when specific VM needs exception
✔ Keep rule priority organized
✔ Use Application Security Groups (ASGs) when managing multiple VMs logically
✔ Avoid overly complex dual NSG configurations unless required
12. Quick Summary for Revision
- NSG controls traffic using rules
- Associate NSG to:
- Subnet (recommended for most cases)
- NIC (for granular control)
- If both exist → both must allow traffic
- Inbound: Subnet → NIC
- Outbound: NIC → Subnet
- NSGs are stateful
- Cannot attach NSG directly to VM or VNet
