IntermediateLesson 4 of 10

Network Security

Secure traffic paths with layered controls: NSGs for subnet/NIC filtering, Azure Firewall for centralized policy, and application security principles for least-privilege connectivity.

What Is It? (Simple Explanation)

Network security means allowing only required traffic and blocking everything else by default.

Why Do We Need It?

To prevent unauthorized access and lateral movement.
To enforce compliance and segmentation requirements.
To reduce blast radius when one component is compromised.

Real-world Analogy

Building security has gate checks, floor access cards, and restricted server rooms. NSGs are gate checks. Firewall is centralized screening.

How It Works (Technical)

Control	Scope	Use Case
NSG	Subnet or NIC	Allow only required ports per tier
Azure Firewall	Central appliance	Egress control, FQDN filtering, threat intel
App Security Basics	Application layer	TLS termination, WAF, private endpoints

Visual Representation

Layered Network Defense

Ingress

App Gateway + WAF

Subnet Layer

NSG rules per subnet

Egress Layer

Azure Firewall

Allow-list outbound

Private Services

Private endpoints

No public exposure

Hands-on Commands

Azure CLI

# Create NSG and inbound rule for HTTPS only
az network nsg create -g rg-net-sec -n nsg-web
az network nsg rule create -g rg-net-sec --nsg-name nsg-web -n allow-https \
  --priority 100 --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes Internet --destination-port-ranges 443

# Deny all inbound (explicit high priority)
az network nsg rule create -g rg-net-sec --nsg-name nsg-web -n deny-all-inbound \
  --priority 4096 --direction Inbound --access Deny --protocol '*' --source-address-prefixes '*' --destination-port-ranges '*'

# Associate NSG to subnet
az network vnet subnet update -g rg-net-sec --vnet-name vnet-prod -n snet-web --network-security-group nsg-web

Real-world Use Case

A healthcare app uses NSGs to isolate subnets, Azure Firewall for controlled internet egress, and private endpoints for PaaS databases so no direct public DB access exists.

Debugging Scenario

Issue: API works internally but fails from frontend subnet.

Check effective NSG rules on both source and destination NIC/subnets.
Validate route table path to ensure traffic is not bypassing firewall or dropped.
Review firewall policy logs for denied flows.
Verify app listens on expected port and health probe path.

Interview Questions

Beginner

What is an NSG?

A rule-based L3/L4 packet filter used at subnet or NIC scope in Azure.

Intermediate

When use Azure Firewall over NSG-only design?

When centralized policy, outbound filtering, DNAT/SNAT controls, and logging at network edge are needed.

Scenario-based

How do you secure a database so only app subnet can reach it?

Use private endpoint or private IP, deny public access, apply NSG allow rule only from app subnet and specific DB port.

Summary

Strong Azure network security uses layers: subnet filtering, centralized firewall control, and private service exposure. Design with deny-by-default and explicit allow rules.

PreviousSubnets & IP Addressing NextLoad Balancing & Traffic Management