Skip to content

DEV Community

PETER Samuel

Posted on Aug 3

How to Create a Secure Subnet and Network Security Group in Azure

#networksecurity #subnet #virtualnetwork #azure

When managing cloud infrastructure, security and organization go hand in hand.
Recently, I was tasked with creating a new subnet in an existing Azure Virtual Network (vNet) for an SFTP server and securing it with a Network Security Group (NSG).

This step-by-step guide explains exactly how I did it, using clear language for anyone getting started with Azure.

Scenario
The Azure Administrator needed:

A separate subnet for a new Linux SFTP server.

A Network Security Group to allow only specific inbound traffic (port 22 for SFTP).

The existing subnet to remain untouched for future workloads.

Step 1: Create a New Subnet in an Existing vNet

Log in to the Azure Portal.

In the search bar, type Virtual Networks and select it.

Open your vNet. In my case, it was guided-project-vnet.

Under Settings, select Subnets.

Click + Subnet.

Set the Name to ftpSubnet.

Leave other settings as default and click Add.

At this point, you have a dedicated subnet ready for the SFTP server.

Step 2: Create a Network Security Group (NSG)

From the Azure Home page, search for Network security groups.

Click + Create.

Confirm your subscription and choose the correct resource group (e.g., guided-project-rg).

Set the Name to ftpNSG.

Click Review + create, then Create.

The NSG will control inbound and outbound traffic to the subnet.

Step 3: Add an Inbound Security Rule for SFTP

Open the newly created ftpNSG.

Under Settings, select Inbound security rules.

Click + Add.

Change Destination port ranges to 22.

Set Protocol to TCP.

Name the rule ftpInbound.

Click Add.

This rule ensures that only SFTP traffic is allowed.

Step 4: Associate the NSG with the Subnet

Go back to Virtual Networks and open guided-project-vnet.

Under Settings, select Subnets.

Select ftpSubnet.

Under Network security group,** choose ftpNSG.**

Click Save.

Now, your subnet is protected by the NSG and ready for SFTP traffic.

Outcome
A dedicated subnet for the new SFTP server.

An NSG that allows only secure traffic on port 22.

A clean and secure network structure that separates workloads.

Why This Matters

By isolating the FTP server in its own subnet and applying strict inbound rules, you:

Reduce the risk of unauthorized access.

Simplify monitoring and troubleshooting.

Improve overall network organization and scalability.

Top comments (1)

Subscribe

SKILL.SCH • Aug 4

Welldone!

Peter Samuel | Cloud & DevOps Engineer | Network Engineer | Tech Evangelist I am a Cloud Computing Engineer, Network Engineer, and DevOps Specialist dedicated to designing, deploying, and optimizing c

Location

United Stated Of America
Education

HND & ND in Marketing. Azure Cloud (Utiva), CCNA , Cloud & DevOps
Pronouns

He/Him
Work

I'm expanding my skills in Cloud Computing,
Joined

Jun 8, 2024

Designing a Global Azure Network Infrastructure: A Hands-On Guide to the AZ-700

#azure #network #infrastructureascode #programming

Configuring Secure Access to Workloads with Azure Virtual Networking Services

#programming #networking #virtualmachine #azure

🔒 Configuring Secure Access to Workloads with Azure Firewall

#azure #firewall #tooling #workloads