Author : HASSAN MD TAREQ | Updated : 2020/10/15

Networking in Azure

Network Security Groups

  • In short NSG
  • Attached to subnets or network cards
  • Each NSG can be linked to multiple resources
  • NSGs are stateful
  • NSGs properties include
    • Name
    • Priority
    • Source or destination
    • Protocol
    • Direction
    • Port range
    • Action

What NSG does?

  • Filter traffic: NSGs allow or deny inbound and outbound traffic
  • Contain rules: Rules are ordered based on a number from 100 (processed first) to 4096 (processed last)

NSG problem and solution

Problem with NSGs:

  • Can become complex: Can contain lots of rules, the more rules we need the more complex the design
  • Can be difficult to maintain: If we add more resources, we may need to update several network security groups


  • Use service tags: Represent services like Azure load balancer or API management and locations like internet
  • Use the default security rules: Default security allow and deny common traffic
  • Application security groups: Application security groups allow us define a service made up of resources like virtual machines

Application Security Groups

  • Allows us to reference a group of resources
  • Used as a source or destination in network security groups
  • Network security groups are still required
  • Working with application security groups
    • Create the application security group
    • Link the group to resources
    • Use the group when working with network security groups

Azure Firewall

  • Azure managed stateful firewall service
  • Protects access to virtual networks
  • Highly available
  • Features include
    • Threat intelligence
    • Outbound and inbound NAT support
    • Integration with Azure Monitor
    • Network traffic filtering rules
    • Unrestricted scalability

Azure firewall overview

Azure DDoS protection

  • DDoS mitigation for networks and applications
  • Always-on monitoring
  • Application layer protection
  • Integration with Azure monitor
  • Features offered
    • Multi-layered protection
    • Attack analytics
    • Scale and elasticity
    • Protection against unplanned costs

DDoS protection service tier

  • Basic tier:
    • Active traffic monitoring and always on detection
    • Availability Guarantee
    • Backed by an SLA
    • Free
  • ** Standard tier**:
    • Everything offered by the basic tier
    • Real time Metrics
    • Post attack reports
    • Access to DDoS experts during and active attack
    • Security information and event management (SIEM) integration
    • Monthly fee and usage based

User defined routes

  • Default system routes are enabled by default
  • System routes allow routing between subnet and to the internet
  • User defined routes allow us to override Azure’s default system routes
  • Often used when we want traffic to be filtered through a virtual appliance