3.1. Virtual Network Security Fundamentals

💡 First Principle: Network security creates barriers that attackers must breach before reaching your applications. Unlike identity (which asks "who are you?"), network security asks "where are you coming from?"—and blocks traffic that shouldn't be there at all.

Think of network segmentation like a submarine's watertight compartments. When one compartment floods, the sealed bulkheads prevent water from spreading throughout the vessel. Similarly, when an attacker compromises a web server in your DMZ, proper network segmentation prevents them from pivoting directly to your database servers—they must breach each compartment separately.

What breaks without network security? Everything becomes directly accessible. An attacker who gains a foothold anywhere can freely probe every resource, exploit vulnerable services, and exfiltrate data without crossing any security boundaries. Even if your applications are perfectly secured, network-level controls provide the critical "defense in depth" that buys you detection time.

Consider the scope: Network Security Groups (NSGs) are the foundational firewall for Azure resources, yet misconfigured NSGs are consistently in the top 5 findings of Azure security assessments. The exam tests not just whether you know what NSGs do, but whether you can configure them correctly in complex multi-tier scenarios.