You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!
Gauge your current knowledge
Gauge your current knowledge
Network Security Groups (NSGs) are logical filters that control inbound and outbound traffic to Azure resources at the subnet or network interface level. Each NSG contains a set of security rules that allow or deny traffic based on properties like source, destination, port, and protocol. NSGs help maintain a secure environment by enforcing microsegmentation of your virtual network.
To create an NSG, you can use the Azure portal, Azure CLI, or PowerShell. When defining rules, consider these key properties:
Application Security Groups (ASGs) let you group virtual machines by workload or role, rather than IP address. By referencing ASGs in NSG rules, you achieve greater flexibility and easier maintenance. This approach ensures that scaling or IP changes don’t require rewriting security rules, which simplifies large deployments.
Effective security rules show the combined impact of NSG rules applied at both subnet and network interface levels. When multiple NSGs affect a resource, Azure calculates a final set of effective rules by picking the highest priority rule for each type of traffic. Reviewing these rules is crucial to ensure that no unintended traffic is permitted or blocked.
You can view effective rules in the Azure portal under the VM’s networking settings or use Azure CLI (az network nic list-effective-nsg-rules). The output lists each rule with its:
Using Network Watcher’s IP Flow Verify feature, you can test whether a specific packet flow is allowed or denied. This tool helps you troubleshoot connectivity issues and confirm that your security posture aligns with your design.
Azure Bastion is a Platform as a Service (PaaS) solution that provides secure and seamless RDP/SSH access to VMs directly through the Azure portal. It uses TLS to encrypt all remote session traffic, eliminating the need for public IP addresses on your virtual machines. This setup greatly reduces the attack surface by avoiding exposed jump boxes.
To deploy Azure Bastion, follow these prerequisites:
Once provisioned, you simply select Connect on a VM and choose Bastion. Your remote session appears in a browser window, with no client-side configuration required. This method streamlines secure access and reduces management overhead for jump servers.
Service endpoints allow you to secure Azure PaaS resources to only your virtual network by extending your VNet identity. With a service endpoint, traffic remains on the Azure backbone network, bypassing the public internet. This results in improved performance and reduced exposure to threats.
To configure a service endpoint:
Once enabled, your PaaS resource sees incoming requests as coming from your VNet. This tightens security by allowing you to implement granular access controls and eliminate broad public access.
A private endpoint is a network interface that assigns a private IP address from your VNet to an Azure PaaS resource, using Azure Private Link. This provides fully private connectivity, ensuring traffic never exposes itself to the internet. Private endpoints are ideal when you need the highest level of network isolation.
Key benefits of private endpoints include:
To set up a private endpoint, create the endpoint resource in the Azure portal, select your target PaaS service, and specify the subnet. Then, update your DNS settings so that the resource name resolves to the private IP. This configuration eliminates data exfiltration risks and maintains secure, private communication.
In this section, you learned how to secure Azure virtual networks using multiple tools and techniques. NSGs and ASGs provide flexible rule-based filtering for traffic control. Evaluating effective security rules ensures that your policies work as intended and helps you troubleshoot connectivity issues.
Azure Bastion offers a managed approach to RDP/SSH access, removing the need for public IPs and jump boxes. For Azure PaaS services, service endpoints and private endpoints give you options for securing resource access on the Azure backbone. By combining these solutions, you can design a robust network security strategy that meets compliance requirements and protects your workloads.