CoursesAzure securityNetwork security & segmentation

NSGs, ASGs & no public management

Identity-aware rules, Bastion/JIT, flow logs.

Advanced30 min · lesson 4 of 15

Azure network security starts with Network Security Groups and Application Security Groups — the stateful, identity-aware filters that make the network default-closed. As everywhere, the goal is that nothing is reachable until you deliberately open the smallest path.

NSGs by priority, workloads by ASG

An NSG is a stateful set of priority-ordered rules applied to a subnet or a NIC; the lowest priority number that matches wins, and return traffic is automatic. Rather than pinning rules to IP ranges that change as you scale, group workloads into Application Security Groups and write rules between ASGs — the web tier allows the app ASG, the app tier allows the database ASG. Rules then follow workload identity and never break when instances are added or replaced.

tier-to-tier rules by ASG, not IP
# App tier reaches the DB tier on 5432 — expressed between ASGs, no IPs.
az network nsg rule create -g rg --nsg-name db-nsg -n allow-app-to-db \
--priority 100 --direction Inbound --access Allow --protocol Tcp \
--destination-port-ranges 5432 \
--source-asgs app-asg --destination-asgs db-asg
# Explicit deny of management ports from the internet, high precedence.
az network nsg rule create -g rg --nsg-name app-nsg -n deny-rdp-inet \
--priority 4096 --direction Inbound --access Deny --protocol Tcp \
--destination-port-ranges 3389 22 --source-address-prefixes Internet

No public management ports, and log the flows

Never expose RDP or SSH to the internet. Use Azure Bastion for browser-based access with no public IP on the VM, or Just-in-Time VM access (Defender for Cloud) to open a port only for an approved, time-boxed window. Enable NSG flow logs to a Log Analytics workspace so you can reconstruct who talked to what during an incident and feed anomaly detection. Keep workloads on private IPs and let a load balancer or Application Gateway be the only public front door.

Default-closed Azure network
filter by identity
NSG priority rules
stateful, subnet/NIC
ASGs
rules between workload groups, not IPs
no standing exposure
Bastion / JIT access
no public RDP/SSH
NSG flow logs
reconstruct + detect
Target rules by ASG, deny management ports from the internet, and log every flow. Public exposure is opt-in, not default.
Internet-facing RDP/SSH is a standing invitation
An NSG rule allowing 3389 or 22 from the internet is scanned and brute-forced within minutes. Remove standing management-port exposure entirely — Bastion or JIT access plus an explicit internet-deny rule — so a single permissive rule cannot open the door.