Applying NSGs, ASGs, and VMs to enforce secure communication between application tiers in Azure.
Project Overview
In this project, I built on top of my hub-and-spoke architecture by configuring network security controls within my Azure environment. The goal was to simulate a secure workload deployment where frontend web servers and backend databases can communicate safely, while still restricting unnecessary traffic.
This was my 19th Azure project, and it focused on Application Security Groups (ASGs) and Network Security Groups (NSGs).
Objectives
Deploy VMs in the frontend and backend subnets of app-vnet.
Create and associate an Application Security Group (ASG) for frontend servers.
Create and associate a Network Security Group (NSG) for the backend subnet.
Configure inbound rules to allow secure SSH traffic from the frontend ASG to backend servers.
Architecture Diagram
Create an Application Security Group (ASG)
Name: app-frontend-asg
Region: East US
Resource Group: RG1
Associated it with VM1 (frontend web server).
Create and Associate a Network Security Group (NSG)
Name: app-vnet-nsg
Associated with backend subnet of app-vnet.
Add Inbound Security Rule
Rule to allow SSH traffic from frontend ASG to backend servers.
**Property **Value
**Source **Any
**Destination **ASG (app-frontend-asg)
**Service **SSH
**Action **Allow
**Priority **100
**Name **AllowSSH
Key Takeaways
ASGs simplify security by grouping VMs logically instead of by IP.
NSGs filter inbound and outbound traffic at subnet and NIC levels.
Subnet separation (frontend/backend) provides a strong security layer.
Using ASG + NSG together creates scalable and easy-to-manage security policies.
Next Steps
Add Azure Firewall for centralized control.
Configure UDRs to route traffic through the firewall.
Deploy a sample web app and database for end-to-end testing.
Closing Thoughts
This project deepened my understanding of network isolation and security in Azure. Configuring NSGs and ASGs is one of the most practical skills for both certification prep and real-world deployments.
I would like to hear from others:
How do you usually design network security in Azure?
Top comments (0)