In the context of the Azure Administrator Associate certification, Network Security Groups (NSGs) and Application Security Groups (ASGs) are fundamental components for securing virtual networks.
**Network Security Groups (NSGs)** act as the primary stateful packet filtering firewall for Azure Virt…In the context of the Azure Administrator Associate certification, Network Security Groups (NSGs) and Application Security Groups (ASGs) are fundamental components for securing virtual networks.
**Network Security Groups (NSGs)** act as the primary stateful packet filtering firewall for Azure Virtual Networks to control traffic flow. An NSG contains a list of access control rules that allow or deny inbound or outbound traffic based on the 5-tuple information: source IP, source port, destination IP, destination port, and protocol. These rules are processed in priority order, with lower numbers taking precedence. While NSGs can be associated with individual Network Interfaces (NICs), it is generally best practice to associate them with Subnets to enforce a standardized security policy across all resources within that segment.
**Application Security Groups (ASGs)** are used to simplify the management of these NSG rules by abstracting specific IP addresses. ASGs allow you to group virtual machines (via their NICs) based on their application workload or function, such as 'WebServers' or 'DatabaseClusters,' regardless of their network topology.
**Combined Implementation**: Without ASGs, scaling an application requires manually updating NSG rules with the IP addresses of every new server. With ASGs, you define an NSG rule once—for example, 'Allow HTTPS to Destination: WebServer-ASG'. When you deploy new VMs, you simply associate their NICs with the 'WebServer-ASG', and the security rules are automatically applied. This approach decouples security definitions from static IP addresses, streamlining network segmentation and significantly reducing administrative overhead and the risk of misconfiguration.
Network Security Groups (NSGs) and Application Security Groups (ASGs)
Why is this Important? Network security is a core pillar of the Azure Administrator Associate (AZ-104) certification. Understanding Network Security Groups (NSGs) and Application Security Groups (ASGs) is critical because they act as the primary firewall for internal and external traffic within an Azure Virtual Network (VNet). You cannot secure a VNet or pass the exam without mastering how traffic is filtered, prioritized, and grouped using these tools.
What are Network Security Groups (NSGs)? An NSG is an Azure resource that acts as a virtual firewall for your network. It contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet).
Key Characteristics: Stateful: NSGs are stateful, meaning if you allow an inbound request, the return outbound traffic is automatically allowed, regardless of outbound rules. 5-Tuple Hash: Rules are processed based on Source IP, Source Port, Destination IP, Destination Port, and Protocol. Scope: NSGs can be associated with Subnets (recommended) or standard Network Interfaces (NICs) attached to VMs.
How NSGs Work The NSG processes rules in a specific order based on Priority. A lower number indicates a higher priority.
1. Priority & Processing: Priorities range from 100 to 4096. Azure processes rules starting at priority 100. Once a rule matches traffic (e.g., Port 80 is allowed), processing stops. A conflicting rule deeper in the list (e.g., priority 200 Deny Port 80) will be ignored.
2. Default Rules: Every NSG comes with default rules (Priorities 65000, 65001, 65500) that cannot be deleted, but can be overridden by creating a rule with a higher priority (lower number). AllowVnetInBound: Allows traffic between subnets. AllowInternetOutBound: Allows VMs to talk to the Internet. DenyAllInBound: Blocks all external traffic not explicitly allowed.
What are Application Security Groups (ASGs)? ASGs are an abstraction layer that simplifies rule management. Instead of defining rules based on specific IP addresses (which change), you define rules based on the function of the VM (e.g., 'WebServers', 'DBServers').
How ASGs Work: 1. Create an ASG (e.g., 'Web-ASG'). 2. Associate the Network Interface (NIC) of a VM to that ASG. 3. In your NSG rule, set the Source or Destination to 'Application Security Group' and select 'Web-ASG'. Benefit: If you add 10 new web servers, you just add their NICs to the ASG. You do not need to touch the NSG rules.
Exam Tips: Answering Questions on Network Security Groups (NSGs) and ASGs When facing scenario-based questions on the AZ-104 exam, apply the following logic:
1. The 'Subnet vs. NIC' Trap (Double Filtering) If an NSG is applied to a Subnet AND a different NSG is applied to a specific VM's NIC, traffic must pass BOTH to be successful. Inbound Traffic: Must pass the Subnet NSG first, then the NIC NSG. Outbound Traffic: Must pass the NIC NSG first, then the Subnet NSG. Tip: If the Subnet allows Port 80 but the NIC denies Port 80, the traffic is blocked.
2. Calculated Priority Always look at the priority numbers. If rule A says 'Allow' at priority 110 and rule B says 'Deny' at priority 100, rule B wins. The moment a match is found, the evaluation stops.
3. Implicit Deny Remember the DenyAllInBound default rule acts as a catch-all safety net. If a question asks why traffic is blocked and there is no explicit allow rule, it is falling through to the default deny rule.
4. ASG Usage If a question asks how to minimize administrative effort when managing rules for multiple VMs with dynamic IPs, the answer is almost always Application Security Groups. Keywords: 'Dynamic IP', 'Scaling', 'Minimize maintenance'.