3.1.1. Network Security Groups (NSGs) and Application Security Groups (ASGs)
💡 First Principle: NSGs filter network traffic using rules based on source, destination, port, and protocol. They operate at Layer 3-4 (network/transport) and can be applied to subnets or individual NICs.
Scenario: You have a three-tier application with web, application, and database tiers. Web servers should accept traffic from the internet on port 443; application servers should only accept traffic from web servers; database servers should only accept traffic from application servers.
NSG Rule Components
| Property | Description | Example |
|---|---|---|
| Priority | Lower number = higher priority (100-4096) | 100 |
| Source | Where traffic originates | IP, CIDR, Service Tag, ASG |
| Source port | Originating port | * (any) |
| Destination | Where traffic goes | IP, CIDR, Service Tag, ASG |
| Destination port | Target port | 443 |
| Protocol | TCP, UDP, ICMP, Any | TCP |
| Action | Allow or Deny | Allow |
Application Security Groups (ASGs)
- Purpose: Logical grouping of VMs for simplified NSG rules
- Benefit: Use application-centric names instead of IP addresses
- Example: "WebServers" ASG instead of listing individual IPs
Visual: NSG with ASGs
💡 Key Insight: NSG rules reference ASG names ("WebServers", "DBServers") instead of IP addresses. When VMs join an ASG, they automatically inherit all rules—no IP management required.
Default NSG Rules
| Priority | Name | Direction | Action |
|---|---|---|---|
| 65000 | AllowVnetInbound | Inbound | Allow |
| 65001 | AllowAzureLoadBalancerInbound | Inbound | Allow |
| 65500 | DenyAllInbound | Inbound | Deny |
| 65000 | AllowVnetOutbound | Outbound | Allow |
| 65001 | AllowInternetOutbound | Outbound | Allow |
| 65500 | DenyAllOutbound | Outbound | Deny |
⚠️ Exam Trap: Forgetting that NSGs have default rules. The default "AllowVnetInbound" rule allows all traffic within the VNet. If you need to isolate subnets from each other, you must add explicit deny rules with lower priority numbers.
