Network Security Overview
Security at the network perimeter: NSGs, Azure Firewall, and secure network design patterns. (Deep networking details → see Azure Networking module.)
🧠 ELI5 Explanation
Network security is like a fortress walls and gates. NSG = rules for each gate (allow HTTPS, block SSH). Azure Firewall = a smart security guard checking every person + package. Secure design = put walls between different areas (front-end vs database) so if one gate is breached, attacker can't automatically get to everything.
Technical Explanation
Network Security Groups (NSGs)
Stateful firewall at VM/subnet level:
- Rules: Define allowed/denied traffic
- Direction: Inbound (incoming) or Outbound (outgoing)
- Stateful: If inbound rule allows request, response is automatically allowed
- Port/Protocol: Specify TCP/UDP, port ranges
Default: NSG denies all inbound, allows all outbound. Add rules to permit specific flows.
Azure Firewall
Managed, stateful firewall service (more powerful than NSG):
- Application-layer filtering: Understand HTTP/HTTPS, FTP protocols
- Threat intelligence: Block known malicious IPs/domains
- IDPS: Intrusion Detection/Prevention System
- Deployment: Central hub (speaks to all subnets via routing)
When to use: Complex organizations, need app-layer rules, central security perimeter.
NSG vs Azure Firewall
| Feature | NSG | Azure Firewall |
|---|---|---|
| Scope | VM/subnet level | VNet/hub level |
| Protocol filtering | Layer 4 (TCP/UDP) | Layer 7 (HTTP, FTP, DNS) |
| Cost | Free | Paid per hour + data processed |
| Best for | Simple rules, per-resource control | Complex rules, central policy |
Secure Network Design Patterns
Defense in depth:
- Perimeter: Public IPs behind load balancer, DDoS protection
- Layer 1 (Edge): Azure Firewall accepts only HTTPS
- Layer 2 (Subnet): NSG allows only necessary protocols
- Layer 3 (App): App validates & sanitizes input
- Layer 4 (Data): DB encrypted, access via private endpoint
Example: Client → DDoS mitigation → Firewall → NSG → Load Balancer → App Subnet → Database (private endpoint)
Visual Representation
Secure Network Architecture
Internet
↓
[DDoS Protection]
↓
[Public LB - 443 only]
↓
[Azure Firewall - app-level rules]
↓
Frontend Subnet [NSG: allow 443, deny all else]
↓
Backend Subnet [NSG: allow 5000 from Frontend, deny Internet]
↓
Database (Private Endpoint) [NSG: allow 5432 from Backend only]
Hands-on: NSG Rules
# Create NSG az network nsg create --resource-group myRG --name myNSG # View NSG rules az network nsg rule list --resource-group myRG --nsg-name myNSG # Add inbound rule: allow HTTPS from internet az network nsg rule create \ --resource-group myRG \ --nsg-name myNSG \ --name AllowHTTPS \ --protocol tcp \ --direction Inbound \ --priority 100 \ --destination-port-ranges 443 \ --access Allow # Add inbound rule: deny SSH az network nsg rule create \ --resource-group myRG \ --nsg-name myNSG \ --name DenySSH \ --protocol tcp \ --direction Inbound \ --priority 200 \ --destination-port-ranges 22 \ --access Deny
Real-world Use Case
Scenario: A web app with public frontend and private database.
Network Security Setup:
1. Public LB accepts HTTPS (443) only
2. Frontend VMs have NSG: inbound 443, outbound to backend subnet (port 5000)
3. Backend VMs have NSG: inbound from frontend (5000), outbound to DB subnet (5432)
4. Database subnet NSG: inbound 5432 from backend only
5. Database not on internet (private endpoint)
If attacker compromises frontend VM: They can't reach the database directly (NSG stops port 5432 from internet). They're trapped in frontend subnet.
Summary
- NSG: Stateless rules at VM/subnet level, Layer 4 filtering.
- Azure Firewall: Stateful, app-layer filtering, centralized policy.
- Defense in Depth: Combine NSGs, firewall, load balancer, private endpoints.
- Key rule: Deny all by default, explicitly allow what's needed.
Interview Questions
Q (Beginner): What does NSG stand for and what does it do?
A: Network Security Group. It's a stateless firewall that filters traffic based on rules at Layer 4 (TCP/UDP/port).
A: Network Security Group. It's a stateless firewall that filters traffic based on rules at Layer 4 (TCP/UDP/port).
Q (Beginner): Should I allow all inbound traffic by default?
A: No. Default deny all inbound, allow only specific ports/protocols needed.
A: No. Default deny all inbound, allow only specific ports/protocols needed.
Q (Intermediate): Explain NSG inbound rule priority.
A: Priority is numeric (100-4096). Lower number = higher priority. First matching rule applies. Use gaps (100, 200, 300) for easy insertion.
A: Priority is numeric (100-4096). Lower number = higher priority. First matching rule applies. Use gaps (100, 200, 300) for easy insertion.
Q (Intermediate): When would you use Azure Firewall instead of NSG?
A: NSG for per-VM rules, Azure Firewall for centralized policy, app-layer filtering, or threat intelligence integration.
A: NSG for per-VM rules, Azure Firewall for centralized policy, app-layer filtering, or threat intelligence integration.
Q (Scenario): You need to restrict database access to only your app VMs. NSG or Network Policy?
A: NSG at database subnet: inbound rule allowing traffic from app subnet on port 5432. If using Kubernetes, Network Policy. If using private endpoints, restrict to app VMs only.
A: NSG at database subnet: inbound rule allowing traffic from app subnet on port 5432. If using Kubernetes, Network Policy. If using private endpoints, restrict to app VMs only.