DEV Community

Cover image for Mastering Azure Management Task: A Hands-On Project (Part 2)
Emmanuel
Emmanuel

Posted on • Edited on • Originally published at dev.to

Mastering Azure Management Task: A Hands-On Project (Part 2)

Securing Your Virtual Network with Subnets and Network Security Groups

In Part 1, we built the foundation of our Azure environment: a resource group, a virtual network, a virtual machine, and a storage account. Now it's time to put that network to work.

In this post, we are playing the role of an Azure admin who is asked to prepare the network for a new FTP (File Transfer Protocol) server. The task involves three steps: creating a dedicated subnet for FTP traffic, locking it down with a Network Security Group (NSG), and associating the two together.

Before you begin: This exercise builds directly on the environment created in Part 1. Make sure you have the guided-project-vnet virtual network and guided-project-rg resource group already in place before continuing.

Task 1: Create a New Subnet on the Existing VNet

Log in to the Azure portal.
In the search bar, type Virtual networks and select it under Services.
Select guided-project-vnet from the list.

In the left-hand menu under Settings, select Subnets.
Click + Subnet to add a new one.

Leave the Subnet purpose set to Default.
For Name, enter ftpSubnet.
Leave all other settings at their defaults and click Add.

Click Home to return to the portal home page.

You now have a dedicated subnet for your FTP server.

Task 2: Create a Network Security Group (NSG)

A Network Security Group acts like a firewall at the subnet level. It contains a set of inbound and outbound rules that control which traffic is allowed in or out.

From the portal home page, search for Virtual networks again and select it. This time, select Network security groups from the left-hand panel.
Click + Create.

Verify your subscription is correct.
Select guided-project-rg as the resource group.
Enter ftpNSG as the name.
Click Review + create, then Create once validation passes.
Wait for the deployment to complete, then click Go to resource.

Add an Inbound Security Rule

Now that the NSG exists, we need to tell it what traffic to allow. SFTP runs over SSH on port 22, so we will create a rule that permits inbound TCP traffic on that port.

In the NSG's left-hand menu under Settings, select Inbound security rules.
Click + Add.
Change the Destination port ranges value from 8080 to 22.
Set the Protocol to TCP.
Set the Name to ftpInbound.
Click Add.
Click Home to return to the portal home page.

The NSG now has a rule allowing inbound SFTP traffic on port 22. Next, we need to attach it to the subnet.

Task 3: Associate the NSG with the FTP Subnet

Creating an NSG and creating rules is not enough on its own. The NSG has to be associated with a subnet (or a network interface) before it actually does anything. Let us link ftpNSG to ftpSubnet.

Search for and select Virtual networks from the portal home page.
Select guided-project-vnet.
Under Settings, select Subnets.
Click on ftpSubnet to open it.
On the Edit subnet page, find the Security section and set the Network security group field to ftpNSG.
Click Save.

What You have Built

You have done something meaningful: segmented a virtual network, created a security boundary around it, and restricted access to a single protocol on a single port.

Here is a quick summary of what is now in place:

ftpSubnet — A dedicated subnet within guided-project-vnet, isolated from other VM traffic.
ftpNSG — A Network Security Group with an inbound rule permitting SSH/SFTP traffic on port 22 only.
The NSG is associated with ftpSubnet, meaning the rules are actively enforced on any resource deployed into that subnet.

Follow along to part 3. Let us keep building our Azure administration skills together.

Top comments (0)