5.5 Virtual Networks, Subnets, and Network Security Groups
Key Takeaways
- Azure Virtual Network is the fundamental private network building block for Azure resources.
- Subnets segment a virtual network address space and provide boundaries where resources can be placed.
- Network security groups filter inbound and outbound traffic for Azure resources in virtual networks.
- NSG rules use priorities, direction, protocol, source, destination, ports, and allow or deny actions.
Segment Azure Networks with VNets, Subnets, and NSGs
Azure Virtual Network provides the private network foundation for Azure resources. It enables resources such as virtual machines to communicate with each other, the internet, and on-premises networks while using familiar network concepts. For SC-900, the main idea is not advanced routing. The main idea is that virtual networks and subnets provide logical containment, and NSGs provide traffic filtering within that containment.
Subnets divide a virtual network address space into smaller segments. A simple workload might place web servers in one subnet and application or data services in another. That separation does not automatically create a complete security boundary by itself, but it gives you places to apply controls. NSGs are the core Azure feature in this chapter for allowing or denying traffic at subnet or network-interface scope.
| NSG rule property | What it contributes |
|---|---|
| Priority | Lower numbers are processed before higher numbers |
| Direction | Identifies inbound or outbound traffic |
| Source and destination | Identifies where traffic comes from and where it goes |
| Protocol and port range | Matches TCP, UDP, ICMP, or other supported protocol details |
| Action | Allows or denies the matched traffic |
An NSG contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, Azure resources. The rules are evaluated by priority. When traffic matches a rule, processing stops for that traffic. This is why priority planning matters: a broad allow rule with a lower priority number can make a later deny rule ineffective for matching traffic.
NSGs are stateful. If you allow outbound traffic to a destination on a port, you do not need a separate inbound rule for the response traffic. The same idea works in reverse for permitted inbound flows. This is an exam-relevant distinction because NSGs are not just static packet lists with no connection awareness.
NSGs are not the same as Azure Firewall. If a question asks for central inspection and logging across multiple networks, Azure Firewall is likely better. If a question asks to allow web subnet traffic to an app subnet, deny direct database access, or filter inbound management traffic to a VM subnet, an NSG is often the direct match.
NSGs are also not the same as segmentation strategy itself. Segmentation starts with virtual networks, subnets, and architecture boundaries. NSGs then enforce traffic rules inside those boundaries. Firewalls, private endpoints, user-defined routes, and identity controls can further strengthen the design, but SC-900 usually asks for the basic purpose of the named service.
- Use virtual networks as Azure private network containers.
- Use subnets to divide address space and place related resources together.
- Use NSGs to allow or deny inbound and outbound traffic.
- Use Azure Firewall when the prompt asks for centralized managed firewall policy.
Which Azure control contains rules that allow or deny inbound and outbound traffic for resources in virtual networks?
In an NSG, why does rule priority matter?
A workload team wants to divide an Azure virtual network into web and application tiers, then filter traffic between those tiers. Which combination best fits?