NSGs, ASGs & no public management
Identity-aware rules, Bastion/JIT, flow logs.
Azure network security starts with Network Security Groups and Application Security Groups — the stateful, identity-aware filters that make the network default-closed. As everywhere, the goal is that nothing is reachable until you deliberately open the smallest path.
NSGs by priority, workloads by ASG
An NSG is a stateful set of priority-ordered rules applied to a subnet or a NIC; the lowest priority number that matches wins, and return traffic is automatic. Rather than pinning rules to IP ranges that change as you scale, group workloads into Application Security Groups and write rules between ASGs — the web tier allows the app ASG, the app tier allows the database ASG. Rules then follow workload identity and never break when instances are added or replaced.
# App tier reaches the DB tier on 5432 — expressed between ASGs, no IPs.az network nsg rule create -g rg --nsg-name db-nsg -n allow-app-to-db \--priority 100 --direction Inbound --access Allow --protocol Tcp \--destination-port-ranges 5432 \--source-asgs app-asg --destination-asgs db-asg# Explicit deny of management ports from the internet, high precedence.az network nsg rule create -g rg --nsg-name app-nsg -n deny-rdp-inet \--priority 4096 --direction Inbound --access Deny --protocol Tcp \--destination-port-ranges 3389 22 --source-address-prefixes Internet
No public management ports, and log the flows
Never expose RDP or SSH to the internet. Use Azure Bastion for browser-based access with no public IP on the VM, or Just-in-Time VM access (Defender for Cloud) to open a port only for an approved, time-boxed window. Enable NSG flow logs to a Log Analytics workspace so you can reconstruct who talked to what during an incident and feed anomaly detection. Keep workloads on private IPs and let a load balancer or Application Gateway be the only public front door.