Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.1. Network Security Groups

Why can't your VM reach the database? Why is SSH failing? In most Azure troubleshooting, the answer is NSGs. Network Security Groups provide stateful packet filtering at Layer 3/4, controlling what traffic can enter and leave your resources.

💡 First Principle: NSGs are stateful—if you allow inbound traffic, the response is automatically allowed outbound (and vice versa). They filter based on 5-tuple: source IP, source port, destination IP, destination port, and protocol.

What breaks without proper configuration: VMs can't communicate. SSH/RDP access fails. Application traffic gets blocked unexpectedly. And worst of all—rules accumulate over time until nobody understands why anything works.

Think of NSGs like a building's security desk. They check IDs (IP addresses) and verify visitors are going to the right floor (port). They don't inspect what's in the briefcases (application layer)—for that, you need Azure Firewall or WAF.

Alvin Varughese
Written byAlvin Varughese
Founder•15 professional certifications