Configure network security groups | AZ-104 | Episode 9
autoenpublicupdated
Network Security Group Basics
Azure network security groups are free resources used to control network traffic for subnets and virtual networks, especially inside an Azure environment.
NSGs are similar to lightweight firewalls, but they operate at layer 4 and do not provide deep packet inspection.
NSG rules shape traffic based on characteristics such as source, destination, port, and protocol.
Using NSGs With VNets and Subnets
A virtual network is divided into subnets, and by default subnets within the same VNet can communicate with each other.
NSGs can allow or deny inbound and outbound traffic for the subnet or resource they protect.
Traffic can be blocked either outbound from a source subnet or inbound to a destination subnet, and using both can provide additional assurance.
Assignment Scope
NSGs can be assigned at the subnet level or at the network interface card level.
Traffic must be allowed by all applicable NSGs; a deny rule at any applicable point blocks the traffic.
Azure provides analysis capabilities to help determine which NSG rule or assignment is causing a block.
Rule Processing and Defaults
NSG rules use priorities from 100 to 65000, with lower numbers processed first as higher priority rules.
Leave gaps in rule priority numbering so future rules can be inserted without renumbering everything.
Rules are processed sequentially until the first matching allow or deny rule is found, then processing stops.
Default inbound rules allow VNet communication and Azure load balancer traffic, then deny everything else.
Application Security Groups and Service Tags
Application security groups let you apply NSG logic to groups of resources instead of managing many individual NIC rules.
ASGs can help manage application-related resources that span multiple subnets or VNets.
Service tags identify Azure services or resource groupings inside NSG rule definitions and can be used to allow or deny traffic from those sources.
Azure Portal Demo
The demo creates a new NSG in a resource group and shows that it starts with default rules.
The demo adds an inbound rule for RDP port 3389 and shows the warning associated with exposing that port.
The demo shows how to assign an existing NSG to a subnet in a virtual network.
The demo also shows that NSGs can be created or selected during VNet and subnet creation.
Closing Guidance
NSGs are a simple, free Azure security feature for controlling inbound and outbound traffic by ports and IP addresses.
They are especially useful for internal Azure network security, while more advanced firewall services may be better suited for public-private ingress and egress scenarios.
The speaker strongly recommends deploying NSGs broadly across Azure network infrastructure.
Actiepunten
Use NSGs extensively throughout internal Azure infrastructure because they are free and help shape traffic.
Remember the default NSG rules and values when preparing for the AZ-104 exam.
Use a rule priority numbering system with gaps to allow future growth.
Ensure NSG rule order produces the intended effective traffic behavior.
Watch other videos in the course or explore Microsoft Learn to continue learning.