AZ-104 Microsoft Azure Administrator Exam

Create and configure network security groups and application security groups

Network Security Groups (NSGs) are logical filters that control inbound and outbound traffic to Azure resources at the subnet or network interface level. Each NSG contains a set of security rules that allow or deny traffic based on properties like source, destination, port, and protocol. NSGs help maintain a secure environment by enforcing microsegmentation of your virtual network.

To create an NSG, you can use the Azure portal, Azure CLI, or PowerShell. When defining rules, consider these key properties:

• Priority: Determines rule evaluation order
• Source and destination: IP ranges, service tags, or Application Security Groups
• Protocols and ports: TCP, UDP, or wildcard
• Action: Allow or Deny

Application Security Groups (ASGs) let you group virtual machines by workload or role, rather than IP address. By referencing ASGs in NSG rules, you achieve greater flexibility and easier maintenance. This approach ensures that scaling or IP changes don’t require rewriting security rules, which simplifies large deployments.

Evaluate effective security rules in NSGs

Effective security rules show the combined impact of NSG rules applied at both subnet and network interface levels. When multiple NSGs affect a resource, Azure calculates a final set of effective rules by picking the highest priority rule for each type of traffic. Reviewing these rules is crucial to ensure that no unintended traffic is permitted or blocked.

You can view effective rules in the Azure portal under the VM’s networking settings or use Azure CLI (az network nic list-effective-nsg-rules). The output lists each rule with its:

• Name
• Priority
• Access (Allow/Deny)
• Source and Destination

Using Network Watcher’s IP Flow Verify feature, you can test whether a specific packet flow is allowed or denied. This tool helps you troubleshoot connectivity issues and confirm that your security posture aligns with your design.

Implement Azure Bastion

Azure Bastion is a Platform as a Service (PaaS) solution that provides secure and seamless RDP/SSH access to VMs directly through the Azure portal. It uses TLS to encrypt all remote session traffic, eliminating the need for public IP addresses on your virtual machines. This setup greatly reduces the attack surface by avoiding exposed jump boxes.

To deploy Azure Bastion, follow these prerequisites:

• A virtual network with a dedicated subnet named AzureBastionSubnet
• A subnet size of at least /27
• A public IP address in Standard SKU

Once provisioned, you simply select Connect on a VM and choose Bastion. Your remote session appears in a browser window, with no client-side configuration required. This method streamlines secure access and reduces management overhead for jump servers.

Configure service endpoints for Azure platform as a service

Service endpoints allow you to secure Azure PaaS resources to only your virtual network by extending your VNet identity. With a service endpoint, traffic remains on the Azure backbone network, bypassing the public internet. This results in improved performance and reduced exposure to threats.

To configure a service endpoint:

• Navigate to your subnet in the Azure portal
• Select Service endpoints and choose the target service (e.g., Storage, SQL, Key Vault)
• Update the PaaS resource’s firewall or network settings to allow the subnet

Once enabled, your PaaS resource sees incoming requests as coming from your VNet. This tightens security by allowing you to implement granular access controls and eliminate broad public access.

Configure private endpoints for Azure PaaS

A private endpoint is a network interface that assigns a private IP address from your VNet to an Azure PaaS resource, using Azure Private Link. This provides fully private connectivity, ensuring traffic never exposes itself to the internet. Private endpoints are ideal when you need the highest level of network isolation.

Key benefits of private endpoints include:

• End-to-end encryption over the Azure backbone
• Integration with your DNS zone for name resolution
• Fine-grained access control at the resource level

To set up a private endpoint, create the endpoint resource in the Azure portal, select your target PaaS service, and specify the subnet. Then, update your DNS settings so that the resource name resolves to the private IP. This configuration eliminates data exfiltration risks and maintains secure, private communication.

Conclusion

In this section, you learned how to secure Azure virtual networks using multiple tools and techniques. NSGs and ASGs provide flexible rule-based filtering for traffic control. Evaluating effective security rules ensures that your policies work as intended and helps you troubleshoot connectivity issues.

Azure Bastion offers a managed approach to RDP/SSH access, removing the need for public IPs and jump boxes. For Azure PaaS services, service endpoints and private endpoints give you options for securing resource access on the Azure backbone. By combining these solutions, you can design a robust network security strategy that meets compliance requirements and protects your workloads.