AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Plan and implement Network Security Groupsand ApplicationSecurity Groups

Plan and implement security for virtual networks

Design and Optimize NSG and ASG Configurations

Azure Virtual Network deployments rely on Network Security Groups (NSGs) and Application Security Groups (ASGs) to enforce traffic segmentation and least-privilege access. NSGs act as stateful firewalls at the subnet or NIC level, while ASGs let you group VMs by logical roles or attributes. By combining these controls, you can isolate workloads and prevent lateral movement within your network. Proper planning of NSG and ASG use reduces the attack surface and ensures policies remain consistent as your infrastructure evolves.

NSGs define inbound and outbound rules with explicit priority ordering and service tags to simplify management. Each rule includes:

  • Source and destination IP ranges or service tags
  • Protocol (TCP or UDP) and port ranges
  • A priority number (100–4096), where lower numbers are processed first
  • An action of Allow or Deny
    Using a deny-by-default, permit-by-exception model helps enforce a strong security baseline and guards against unintended access.

ASGs enable you to assign virtual machines to groups based on attributes like VM role, environment tag, or application tier. This dynamic grouping eliminates the need to manage IP addresses in NSG rules, letting you:

  • Group VMs by function (web, app, database)
  • Reference ASGs in NSG rules for both source and destination
  • Automatically scale policies as VMs are added or removed
    Logical grouping ensures that security rules adapt as your workload grows and changes.

Monitoring and validation are crucial to confirm that your NSG and ASG configurations work as intended. Leverage:

  • NSG flow logs sent to Azure Monitor Log Analytics for detailed traffic records
  • Traffic Analytics to visualize top talkers and identify threat patterns
  • Azure Resource Graph queries to inventory NSG/ASG associations and rule settings
    These tools help troubleshoot connection issues, validate segmentation, and catch misconfigurations before they become vulnerabilities.

When implementing NSG and ASG configurations, adopt a layered approach and integrate them into your network design from the start. Attach NSGs at the subnet or NIC level based on desired scope and reference ASGs in your rules. Apply the principle of least privilege by only allowing necessary traffic. Regularly review and update rules using automated scripts or Azure Policy to maintain an effective, scalable security posture.

Conclusion

In summary, NSGs provide stateful firewall control with prioritized rules and service tags, while ASGs offer logical grouping of workloads without managing IP addresses. Together, they enforce least-privilege traffic controls and prevent lateral movement in Azure Virtual Networks. Monitoring with NSG flow logs, Traffic Analytics, and Azure Resource Graph ensures your policies remain effective. Following a layered approach and regularly reviewing rules helps maintain a secure and scalable network environment.

Manage managed identitiesManage virtual networks by using Azure Virtual Network Manager