Azure NSG: Securing Traffic with Network Security Groups

Azure Network Security Groups (NSGs) are optional layers of security used to filter network traffic to and from Azure resources. By defining inbound and outbound security rules based on source, destination, port, and protocol, NSGs allow you to control access at the subnet or network interface level, ensuring only authorized traffic enters your environment.

What exactly are Azure Network Security Groups?

Think of an NSG as a basic, distributed firewall for your Azure virtual network. In the world of the AZ-900 exam, you need to understand that NSGs aren't full-blown firewalls like Azure Firewall, but rather a set of Access Control Lists (ACLs) that filter traffic based on a 5-tuple: source, source port, destination, destination port, and protocol.

When you're designing a cloud environment, you don't want every port open to the public internet—that's a recipe for a security breach. By implementing NSG network security groups, you create a perimeter that ensures only legitimate traffic reaches your Virtual Machines (VMs). Whether you're allowing HTTP traffic on port 80 for a web server or restricting RDP access to a specific admin IP, the NSG is your first line of defense.

How do inbound and outbound security rules work?

Every NSG consists of two sets of rules: inbound and outbound. Inbound rules control traffic coming into the resource from an external source, while outbound rules control traffic leaving the resource. Each rule is a simple 'Allow' or 'Deny' decision. If you're setting up a web server, you'll likely create an inbound rule to allow TCP port 443 (HTTPS) from any source, but you'll want to deny most other ports to shrink your attack surface.

Practical tip: always follow the principle of least privilege. Don't just open everything and try to close it later. Start with a 'deny all' mindset and explicitly allow only the traffic required for the application to function. This approach not only secures your environment but is also a core concept frequently tested on Microsoft certification exams.

Why does rule priority matter in an NSG?

This is where many students trip up on the AZ-900. Rules in an NSG are processed in a specific order based on a priority number ranging from 100 to 65,000. The golden rule here is: the lower the number, the higher the priority. Azure processes rules sequentially; as soon as a packet matches a rule, that rule is applied, and Azure stops looking at any further rules.

For example, if you have a rule at priority 100 that denies all traffic from the internet, and a rule at priority 200 that allows port 80, the traffic will be denied. The priority 100 rule wins. We always recommend leaving gaps between your priority numbers (e.g., 100, 110, 120) rather than numbering them 100, 101, 102. This gives you the flexibility to insert a new, higher-priority rule later without having to re-number your entire set.

Should you apply NSGs to subnets or network interfaces?

You have two choices when applying an NSG: you can associate it with a subnet or directly with a Network Interface (NIC). Applying an NSG to a subnet is the most common practice because it provides a consistent security policy for every resource within that subnet. It's much easier to manage one subnet-level NSG than twenty individual NIC-level NSGs.

However, NIC-level NSGs allow for granular, VM-specific control. Here is the critical part for your exam: if both are applied, Azure evaluates them in a specific sequence. For inbound traffic, the subnet NSG is processed first, followed by the NIC NSG. For outbound traffic, the NIC NSG is processed first, then the subnet NSG. If either one denies the traffic, the packet is dropped, regardless of what the other rule says.

What are default security rules and service tags?

You don't start with a blank slate when you create an NSG. Azure includes several default rules that cannot be deleted, though they can be overridden by your own custom rules. For instance, the 'AllowVnetInBound' rule allows traffic between resources in the same virtual network by default. This ensures your VMs can talk to each other without you having to manually configure every single internal connection.

To make rule management easier, Azure uses 'Service Tags.' Instead of typing in a massive list of IP addresses for Azure services, you can use a tag like 'Internet' or 'AzureLoadBalancer.' This simplifies your configuration and ensures that as Microsoft updates their IP ranges, your security rules stay current automatically. Understanding how these tags interact with default rules is a key objective for anyone pursuing the Fundamentals certification.

How can practice exams help you master NSGs for the AZ-900?

Reading the documentation is one thing, but applying NSG logic to a complex scenario is where the real learning happens. This is why we built Cert Sensei. We provide 1,000 expert-curated Microsoft Azure Fundamentals (AZ-900) practice questions that mimic the actual exam environment. Instead of just telling you that an answer is 'B,' we provide detailed expert reasoning that explains *why* the traffic was allowed or denied based on priority and association.

Our platform also includes domain-level analytics. If you find yourself consistently missing questions on Network Security Groups, our performance tracking will highlight that gap immediately. By focusing your study hours on your weakest domains and using our custom quiz builder to filter for networking questions, you can move from 'guessing' to 'knowing' with total confidence.

❓ Frequently Asked Questions