5.1 Network Security Groups (NSGs) and ASGs
📘Microsoft Azure Networking Solutions (AZ-700)
What is Remote Administration?
Remote administration means accessing and managing your virtual machines (VMs) or servers over a network instead of physically being at the machine. In Azure, this is usually done via:
- RDP (Remote Desktop Protocol) – for Windows VMs
- SSH (Secure Shell) – for Linux VMs
These protocols allow IT admins to control VMs from their computers.
However, leaving RDP or SSH open to the entire internet is risky because attackers can try to break in. This is where Network Security Groups (NSGs) and Azure Bastion come in.
What is an NSG?
A Network Security Group (NSG) is like a virtual firewall for your Azure resources. It controls who can connect to your VMs and from where.
- NSGs consist of inbound rules and outbound rules.
- Inbound rules control incoming traffic (like who can RDP or SSH into a VM).
- Outbound rules control outgoing traffic (like if a VM can access the internet).
Configuring NSGs for Remote Administration
When configuring NSGs for remote administration, the goal is to allow only trusted access to your VMs.
1. Create an NSG
- You can create an NSG via the Azure Portal, CLI, or PowerShell.
- Assign it to either:
- Subnets (applies to all VMs in the subnet)
- Network Interfaces (NICs) (applies only to specific VMs)
2. Add Inbound Rules for RDP or SSH
- For Windows VMs (RDP):
- Protocol: TCP
- Port: 3389
- Source: Trusted IP addresses or ranges (not 0.0.0.0/0)
- For Linux VMs (SSH):
- Protocol: TCP
- Port: 22
- Source: Trusted IP addresses
⚠️ Important: Avoid allowing RDP or SSH from all IPs (0.0.0.0/0), because it exposes your VM to attacks.
3. Optional Outbound Rules
- Usually, Azure allows outbound traffic by default.
- For extra security, you can restrict which destinations your VMs can access.
Azure Bastion – Secure Remote Administration Without Exposing RDP/SSH
Azure Bastion is a managed PaaS service in Azure that lets you securely connect to VMs from the Azure portal.
Benefits:
- No public IP required for VMs
- No need to open RDP (3389) or SSH (22) in your NSG
- Works through HTTPS (443) in your browser, making it much safer
How it Works
- Deploy Azure Bastion in the same virtual network as your VMs.
- NSG rules:
- You do NOT need to allow inbound RDP/SSH from the internet.
- You may need a rule allowing Azure Bastion to reach the VM on port 3389/22 internally.
- Connect through the Azure portal using Bastion – it tunnels the connection over HTTPS.
In exams, you may see questions like:
“How can you secure remote administration for a VM without exposing RDP/SSH to the internet?”
Correct answer: Use Azure Bastion and do not open public RDP/SSH ports.
NSG Configuration Example for Remote Admin
| Rule Type | Priority | Source | Destination | Protocol | Port | Action | Purpose |
|---|---|---|---|---|---|---|---|
| Inbound | 100 | AzureBastion | VM Subnet | TCP | 3389 | Allow | Windows VM via Bastion |
| Inbound | 110 | AzureBastion | VM Subnet | TCP | 22 | Allow | Linux VM via Bastion |
| Inbound | 200 | Any | VM Subnet | TCP | 3389 | Deny | Block public RDP access |
| Inbound | 210 | Any | VM Subnet | TCP | 22 | Deny | Block public SSH access |
Tip: Lower numbers = higher priority. Rules are processed top to bottom.
Exam Tips
- Know the difference between NSGs applied to a subnet vs NIC.
- Remember Azure Bastion removes the need for public RDP/SSH ports.
- Understand NSG priorities – a deny rule with higher priority will override lower-priority allow rules.
- Be able to identify ports: RDP = 3389, SSH = 22, HTTPS (Bastion) = 443.
- Practice creating NSGs in the Azure portal or CLI for remote admin.
✅ Summary
- Use NSGs to control inbound/outbound traffic to your VMs.
- Open RDP/SSH only to trusted IPs if you’re not using Bastion.
- Use Azure Bastion for a safer way to connect to VMs without exposing ports publicly.
- Configure NSG rules correctly with proper priority, protocol, and source/destination.
