DEV Community

Cover image for Creating and Configuring Network Security Groups in Azure: A Step-by-Step Guide
Oladosu Ibrahim
Oladosu Ibrahim

Posted on

Creating and Configuring Network Security Groups in Azure: A Step-by-Step Guide

#azure #cloudcomputing #networking #security

Introduction

When building applications in Azure, securing traffic between workloads is just as important as deploying them. Virtual networks provide isolation, but Network Security Groups (NSGs) and Application Security Groups (ASGs) allow you to finely control how traffic flows between subnets, servers, and the internet.

In this guide, we’ll walk through how to:

  • Create an NSG and apply security rules.
  • Deploy an ASG for grouping frontend web servers.
  • Associate NSGs to subnets and ASGs to VM interfaces.
  • Test the setup with virtual machines in frontend and backend subnets.

By the end, you’ll know how to control inbound and outbound access in your Azure virtual network using NSGs and ASGs.

Skilling Objectives

You will learn how to:

  • Deploy and configure NSGs.
  • Create inbound rules for secure communication.
  • Group workloads using ASGs for simplified management.
  • Attach NSGs to subnets and ASGs to VM NICs.

Architecture Overview

The architecture in this exercise includes:

  • Frontend subnet hosting web servers that must be internet-accessible. These servers are grouped with an Application Security Group (ASG) for easier rule management.
  • Backend subnet hosting database servers that should only be accessible by the frontend servers. A Network Security Group (NSG) controls access to this subnet.

  • Two Ubuntu virtual machines:

    • VM1 in the frontend subnet.
    • VM2 in the backend subnet.

Image1

This setup ensures that only approved traffic passes through, with NSGs and ASGs enforcing the rules at both subnet and VM interface levels.

Step 1: Deploy the Virtual Machines

Why start here?
The VMs are needed to test connectivity between the frontend and backend subnets once NSGs and ASGs are configured.

  1. Open the Azure Cloud Shell or go to shell.azure.com.

  2. Select PowerShell as the environment.
    Image2

  3. Run the following command to deploy VM1 and VM2:

$RGName = "RG1"
New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json
Enter fullscreen mode Exit fullscreen mode

Image3

  1. In the portal, search for Virtual Machines and verify that both VM1 and VM2 are in the Running state. Image4

✅ You now have test VMs ready to validate your NSG and ASG configuration.

Step 2: Create an Application Security Group (ASG)

Why use ASGs?
Instead of writing rules for each VM, ASGs let you group similar workloads (e.g., all frontend servers) and apply security rules to the group.

  1. In the Azure portal, search for Application security groups.
    Image5

  2. Click + Create.
    Image6

  3. Configure the group with:

  • Resource group: RG1
  • Name: app-frontend-asg
  • Region: East US
    1. Select Review + create, then Create. Image7

You’ve created an ASG for your frontend web servers.

Step 3: Associate ASG to the Frontend VM

  1. Go to VM1 in the portal.
    Image8

  2. Under Networking, select Application security groups.

  3. Click + Add application security group.

  4. Choose app-frontend-asg, then click Add.
    Image9

VM1 is now part of the frontend ASG.

Step 4: Create a Network Security Group (NSG)

Why use NSGs?
NSGs act as virtual firewalls, controlling inbound and outbound traffic at the subnet or NIC level.

  1. Search for Network security groups in the portal.
    Image10

  2. Click + Create.
    Image11

  3. Configure with:

  • Resource group: RG1
  • Name: app-vnet-nsg
  • Region: East US
    1. Select Review + create, then Create. Image12

You now have an NSG ready to secure your backend subnet.

Step 5: Associate the NSG to the Backend Subnet

  1. Open the app-vnet-nsg resource.
  2. Under Settings, select Subnets.
  3. Click + Associate.
  4. Choose the app-vnet virtual network and select the Backend subnet.
  5. Click OK. Image13

Traffic to the backend subnet is now governed by your NSG rules.

Step 6: Create NSG Rules

Why rules?
Rules define what traffic is allowed or denied. By default, NSGs block inbound traffic unless explicitly permitted.

  1. Open app-vnet-nsg.
  2. Under Settings, select Inbound security rules.
  3. Click + Add.
  4. Configure the rule as follows:
  • Source: Any
  • Source port ranges: *
  • Destination: Application security group
  • Destination ASG: app-frontend-asg
  • Service: SSH
  • Action: Allow
  • Priority: 100
  • Name: AllowSSH
    1. Click Add to save the rule. Image14

This rule allows frontend servers in the ASG to connect securely to backend servers using SSH.

Conclusion

In this hands-on guide, you built a secure network structure with NSGs and ASGs:

  • Two test VMs deployed in frontend and backend subnets.
  • An Application Security Group (ASG) created for frontend servers.
  • A Network Security Group (NSG) created and applied to the backend subnet.
  • Security rules that allow controlled SSH traffic between frontend and backend workloads.

By combining NSGs and ASGs, you achieve more granular control of traffic flow while keeping your Azure environment secure and manageable.

This design is a practical blueprint for real-world scenarios where web apps must communicate with databases while minimizing exposure to the internet.

Top comments (0)