Create and configure network security groups

Introduction:
Creating and configuring secure virtual networks in Azure is more than just connecting resources — it’s about building an environment where applications can communicate safely, efficiently, and without unnecessary exposure to the internet.

Recently, I worked on a scenario focused on implementing Network Security Groups (NSGs) and Application Security Groups (ASGs) within an Azure virtual network architecture. The goal was simple: strengthen traffic control between frontend and backend systems while maintaining secure access for users and applications.

The environment was designed around two critical subnets inside an Azure Virtual Network (VNet):

Frontend Subnet
This subnet hosted web servers that needed to be accessible from the internet. To simplify management and improve security, an Application Security Group (ASG) was created and linked to the virtual machine interfaces belonging to the frontend servers.

To allow secure user access, an inbound NSG rule was configured to permit HTTPS traffic using:

• Protocol: TCP
• Port: 443

This setup ensures encrypted communication between users and the web application while reducing unnecessary exposure.

Backend Subnet
The backend subnet contained database servers responsible for handling application data. Since database servers should never be directly exposed publicly, tighter controls were implemented using a dedicated Network Security Group (NSG).

An inbound security rule was then created to allow traffic only from the frontend ASG to the backend servers using:

• Service: MS SQL
• Port: 1433

This approach follows the principle of least privilege by ensuring only approved frontend resources can communicate with the database layer.

To complete the deployment, two Ubuntu virtual machines were provisioned using an Azure Resource Manager (ARM) template:

• VM1 deployed in the frontend subnet
• VM2 deployed in the backend subnet

One thing I appreciated during this project was how Azure networking services make it possible to create layered security models that are both scalable and easy to manage. Instead of assigning rules individually to every VM, ASGs and NSGs help centralize traffic policies and simplify administration as environments grow.

This scenario reinforced the importance of:

• Segmented network architecture
• Controlled inbound and outbound traffic
• Secure communication between application layers
• Infrastructure automation using ARM templates
• Cloud security best practices in Microsoft Azure

Cloud networking is not just about connectivity anymore — security and intelligent traffic management are now at the center of modern infrastructure design.

Skilling Tasks

• Create an NSG.
• Create NSG rules.
• Associate an NSG to a subnet.
• Create and use Application Security Groups in NSG rules.

In this guide, I’ll walk you through a simple step-by-step process for creating and configuring Network Security Groups (NSGs) in Azure. I will also cover how to create NSGs, set up security rules, associate NSGs with subnets, and use Application Security Groups (ASGs) to better control and secure network traffic between your resources. By the end of this walkthrough, you’ll have a clearer understanding of how Azure network security works in real-world environments.

Create the network infrastructure for the exercise
Note: This exercise requires the Lab 01 virtual networks and subnets to be installed. A template is provided if you need to deploy those resources.

1. Use the icon (top right) to launch a Cloud Shell session. Alternately, navigate directly to https://shell.azure.com.
2. If prompted to select either Bash or PowerShell, select PowerShell.
3. Storage is not required for this task Select your subscription. Apply your changes.
4. Use these commands to deploy the virtual machines required for this exercise. This command was used to deploy the two virtual machines used for this project. New-AzResourceGroupDeployment -ResourceGroupName RG1 -TemplateFile ./create-vnets-vms-template.json
5. In the portal search for and select virtual machines. Verify both vm1 and vm2 are Running. Create Application Security Group Application security groups (ASGs) let you group together servers with similar functions. For example, all the web servers hosting your application.
6. In the portal, search for and select Application security groups.
7. Select + Create and configure the application security group.

Property Value
Subscription Select your subscription
Resource group RG1
Name app-frontend-asg
Region East US

1. Select Review + create and then select Create. Note: You are creating the application security group in the same region as the existing virtual network.

Associate the application security group to the network interface of the VM

1. In the Azure portal, search for and select VM1.
2. In the Networking blade, select Application security groups and then select Add application security groups.
3. Select the app-frontend-asg and then select Add. Create and Associate the Network Security Group Network security groups (NSGs) secure network traffic in a virtual network.
4. In the portal search for and select Network security group.
5. Select + Create and configure the network security group. Property Value Subscription Select your subscription Resource group RG1 Name app-vnet-nsg Region westus2
6. Select Review + create and then select Create. Associate the NSG with the app-vnet backend subnet. NSGs can be associated with subnets and/or individual network interfaces attached to Azure virtual machines.
7. Select Go to resource or navigate to the app-vnet-nsg resource.
8. In the Settings blade select Subnets.
9. Select + Associate
10. Select app-vnet (RG1) and then the Backend subnet. Select OK.

Create Network Security Group rules
An NSG use security rules to filter inbound and outbound network traffic.

1. In the search box at the top of the portal, enter Network security groups. Select Network security groups in the search results.
2. Select app-vnet-nsg from the list of network security groups.
3. In the Settings blade, select Inbound security rules.
4. Select + Add and configure an inbound security rule. Property Value Source: Any Source port ranges: * Destination: Application Security group Destination application security group: app-frontend-asg Service: SSH Action: Allow Priority: 100 Name: AllowSSH

*Key Takeaways *

• Application security groups help you group virtual machines by the apps they run, so you can easily set security rules for those apps.

• Network security groups act like filters, controlling which traffic can move in and out of your Azure resources.

• You can attach one security group (or none) to each subnet or virtual machine’s network card.

• Inside a network security group are rules that decide whether traffic is allowed or blocked.

• To make things easier, you connect virtual machines to an application security group, then use that group as the source or destination in your network rules.

Summary
In this scenario, the organization wants to strengthen security and better control the flow of network traffic within the app-vnet environment. The setup includes a frontend subnet that hosts web servers accessible from the internet and a backend subnet that contains database servers used by the frontend applications.

To improve security management, an Application Security Group (ASG) is used for the frontend web servers, making it easier to organize and manage virtual machines that belong to the same application layer. A Network Security Group (NSG) is also implemented to control and filter traffic between the frontend and backend resources, ensuring that only approved communication is allowed between the web servers and the database servers.

For testing and deployment purposes, two Ubuntu virtual machines are created: VM1 in the frontend subnet and VM2 in the backend subnet. These virtual machines are deployed using an Azure Resource Manager (ARM) template provided by the IT team, helping automate and standardize the deployment process.

In conclusion, using NSGs and ASGs in Azure helps create a more secure and well-organized network environment. By controlling how traffic flows between the frontend and backend resources, the organization can better protect its applications while still allowing the right communication between services. This setup also highlights how ARM templates make deployments faster, more consistent, and easier to manage in real-world cloud environments.