How to Create and Configure Network Security Groups in Azure

Introduction
In today’s cloud-first environments, securing and managing network traffic is essential for protecting workloads and maintaining optimal application performance. Azure Network Security Groups (NSGs) serve as virtual firewalls, enabling administrators to control inbound and outbound traffic to Azure resources. When paired with Application Security Groups (ASGs), access policies become easier to manage by grouping similar resources and applying consistent rules across them.

Objectives

• Create a network security group.
• Create network security group rules.
• Associate a network security group to a subnet.
• Create and use application security groups in network security group rules.
• Create a Network Security Group (NSG)
• Provision an NSG that can be associated with the backend subnet of the app-vnet.
• Create Network Security Group Rules
• Define inbound and outbound rules to control traffic flow between the frontend and backend resources.
• Associate a Network Security Group to a Subnet
• Link the NSG to the backend subnet in the app-vnet to secure database server access.
• Create and Use Application Security Groups (ASGs)
• Create an ASG (app-frontend-asg) for web servers in the frontend subnet.
• Associate the ASG with VM1’s network interface.
• Use the ASG in NSG rules to simplify traffic management.
• Deploy and Test Virtual Machines
• Deploy VM1 in the frontend subnet and VM2 in the backend subnet using the provided ARM template.
• Verify traffic control using the configured NSG and ASG rules.

Step 1 Create the network infrastructure for the exercise

• Use the icon (top right) to launch a Cloud Shell session.
  

• Use these commands to deploy the virtual machines required for this exercise. copy and paste the command on the cloudshell.

New-AzResourceGroupDeployment -ResourceGroupName RG1 -TemplateUri
https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json

• In the portal search for and select virtual machines.

• Verify both vm1 and vm2 are Running.

Step 2 Create Application Security Group

Application security groups (ASGs) let you group together servers with similar functions. For example, all the web servers hosting your application.

• In the portal, search for and select Application security groups.

• Select + Create
  

• Configure the application security group.

• Property Value

• Subscription Select your subscription

• Resource group RG1

• Name app-frontend-asg

• Region East US 2

• Select Review + create
  

• Then select Create.
  

• The application security group as been created successfully
  

Step 3 Associate the application security group to the network interface of the VM

• In the Azure portal, search and select Virtual Machine.
  

• Select LinuxVM1.

• In the Networking blade, select Application security groups and then select Add application security groups.
  

• Select the app-frontend-asg and then select Add.
  

• Application security group as been added to VM1
  

Step 4 Create and Associate the Network Security Group

Network security groups (NSGs) secure network traffic in a virtual network.

• In the portal search for and select Network security group.
  

• Select + Create.
  

• Configure the network security group.

• Property Value

• Subscription Select your subscription

• Resource group RG1

• Name app-vnet-nsg

• Region East US 2

• Select Review + create
  

• Then select Create.
  

• The network security group as been created successfully
  

Step 5 Associate the NSG with the app-vnet backend subnet.

NSGs can be associated with subnets and/or individual network interfaces attached to Azure virtual machines.

• Select Go to resource or navigate to the app-vnet-nsg resource.
  

• In the Settings blade select Subnets.

• Select + Associate

• Select app-vnet (RG1) and then the Backend subnet. Select OK.
  

• Backend submit as been associated to the network security group
  

Step 6 Create Network Security Group rules

An NSG use security rules to filter inbound and outbound network traffic.

• In the search box at the top of the portal, enter Network security groups. Select Network security groups in the search results.
  

• Select app-vnet-nsg from the list of network security groups
  

• In the Settings blade, select Inbound security rules.

• Select + Add and configure an inbound security rule.
  Source: Any
  Source port ranges: *
  Destination: Application Security group
  Destination application security group app-frontend-asg
  Service SSH
  Action: Allow
  Priority: 100
  Name: AllowSSH

• Network security group rule as been created

Conclusion
Through this exercise, you've gained practical experience in implementing network security within Azure. You’ve successfully:

Configured a Network Security Group (NSG) to manage and filter traffic.

Created and linked an Application Security Group (ASG) to frontend virtual machines for streamlined policy control.

Deployed virtual machines across segmented subnets to validate secure communication.

Applied custom NSG rules to enable secure SSH access from frontend to backend resources.

This project highlights the power of NSGs and ASGs working in tandem to deliver fine-grained control over network traffic. With these skills, you're now equipped to design secure, scalable, and well-managed cloud environments that protect workloads and simplify access across Azure infrastructure.