Configure secure access to virtual networks
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. Introduction to Secure Access in Azure Virtual Networks
When you create virtual networks (VNets) in Azure, all the resources (like virtual machines, databases, and web apps) are connected. To protect these resources from unauthorized access, Azure provides Network Security Groups (NSGs) and Application Security Groups (ASGs).
Think of NSGs and ASGs as security gates that control who can talk to what inside your Azure network.
2. Network Security Groups (NSGs)
What is an NSG?
A Network Security Group (NSG) is a set of security rules that allow or deny network traffic to Azure resources.
- Traffic can be inbound (coming to your resource) or outbound (going from your resource).
- NSGs can be applied to subnets or individual network interfaces (NICs) of virtual machines.
Components of an NSG
Each NSG contains multiple security rules. Each rule has the following elements:
- Name – Unique name for the rule.
- Priority – A number from 100–4096. Lower numbers have higher priority. Azure processes rules in order of priority.
- Source – Where the traffic is coming from (IP, subnet, or ASG).
- Source port range – The port(s) the traffic is coming from.
- Destination – Where the traffic is going (IP, subnet, or ASG).
- Destination port range – The port(s) the traffic is going to.
- Protocol – TCP, UDP, or Any.
- Action – Allow or Deny.
Default NSG Rules
Every NSG comes with default rules, which cannot be removed but can be overridden with higher-priority rules:
| Rule | Direction | Action | Purpose |
|---|---|---|---|
| AllowVNetInBound | Inbound | Allow | Allows traffic within the VNet |
| AllowAzureLoadBalancerInBound | Inbound | Allow | Allows Azure load balancer traffic |
| DenyAllInBound | Inbound | Deny | Denies all other inbound traffic |
| AllowVNetOutBound | Outbound | Allow | Allows traffic from the VNet to anywhere in the VNet |
| AllowInternetOutBound | Outbound | Allow | Allows traffic to the Internet |
| DenyAllOutBound | Outbound | Deny | Denies all other outbound traffic |
Exam Tip: Know that default rules exist and that your custom rules take priority if they have a lower number (higher priority).
How to Use NSGs
- Secure a Subnet: Apply an NSG to a subnet. All resources in that subnet follow the same rules.
- Secure a VM: Apply an NSG to the NIC of a VM. Only that VM is affected.
You can use both at the same time. If traffic is blocked by either, it’s denied.
Example in an IT environment:
- You have a web server VM in Azure. You allow TCP port 80 and 443 (HTTP/HTTPS) to allow internet traffic.
- You deny all other inbound traffic to protect it from unauthorized access.
3. Application Security Groups (ASGs)
What is an ASG?
An Application Security Group (ASG) lets you group VMs based on the application or role instead of IP addresses.
- This is useful for large networks where IP addresses might change.
- Instead of writing NSG rules for specific IPs, you can write rules for ASGs.
Example:
- WebServers ASG → contains all web server VMs
- DBServers ASG → contains all database server VMs
Then, in your NSG, you can allow traffic from WebServers to DBServers on port 1433 (SQL) without worrying about IP addresses.
Benefits of ASGs
- Simplifies management: No need to update NSG rules if VM IP changes.
- Scalable: Add or remove VMs from ASG without modifying NSG rules.
- Role-based grouping: Logical grouping of VMs for better security.
4. How NSGs and ASGs Work Together
- NSGs define the traffic rules.
- ASGs define who the rules apply to.
Scenario:
- You have an NSG that allows traffic from the WebServers ASG to the DBServers ASG on port 1433.
- If a new web server VM is added to WebServers ASG, it automatically follows the NSG rules.
- If a VM is removed, it no longer has access.
This makes it easier to manage security in dynamic environments.
5. Configuring NSGs and ASGs in Azure
Creating an NSG
- Go to the Azure Portal → Search Network Security Groups → Add.
- Choose subscription, resource group, name, and region.
- Click Review + create.
Adding Rules to NSG
- Open the NSG → Inbound security rules or Outbound security rules → Add.
- Specify priority, source/destination, port, protocol, and action.
- Click Add to save.
Creating an ASG
- Go to the Azure Portal → Search Application Security Groups → Add.
- Choose subscription, resource group, name, and region → Create.
- Add VMs to the ASG by editing their network interface → IP configuration → Application security group.
6. Exam Tips for AZ-104
- Understand NSG vs ASG differences.
- Know default NSG rules and how custom rules take precedence.
- Know how to apply NSGs to subnets vs VMs.
- Know how ASGs simplify NSG management.
- Understand priority numbers: lower numbers = higher priority.
- Understand real IT scenarios like allowing traffic between web servers and database servers.
The exam may test your ability to design secure access, identify correct NSG/ASG usage, and configure rules properly.
✅ Summary:
- NSG: Control inbound/outbound traffic with rules. Apply to subnets or NICs.
- ASG: Group VMs logically to simplify NSG rule management.
- Together: NSGs define rules, ASGs define which VMs the rules apply to.
- Key points: Rule priority, default rules, subnet vs NIC assignment, dynamic IP handling with ASGs.
