Chapter 10 of 12

Book 01 — Azure Networking Deep Dive

Network Security

Azure provides a layered network security model: NSGs apply stateful L4 filtering at subnet and NIC boundaries; Azure Firewall provides managed L4/L7 inspection with FQDN filtering and Threat Intelligence; and DDoS Protection defends against volumetric and protocol attacks at the edge.

Network Security Groups (NSG)

Rule Evaluation Order

NSG rules are evaluated in priority order — lowest number first (range 100–4096). The first matching rule wins; subsequent rules are not evaluated. Rules are stateful: return traffic for an allowed connection is automatically permitted.

For inbound: the subnet NSG is evaluated first, then the NIC NSG. Both must allow the traffic for the packet to reach the VM. For outbound: NIC NSG first, then subnet NSG.

NSG rule evaluation order. Subnet NSG rules evaluated priority 100 to 65500. If allowed, NIC NSG rules evaluated. First match wins in each. Application Security Groups shown grouping web VMs and DB VMs, with an NSG rule allowing asg-web to asg-db on TCP 1433.
Figure 10.1 — NSG: priority-ordered evaluation, subnet then NIC; ASGs eliminate IP-based rule management

Application Security Groups

ASGs group VMs by function (web, app, db). NSG rules reference ASG names as source or destination — when VMs are added to an ASG, they automatically inherit all associated rules without any IP address changes.

bash
# ASG-based NSG rule — no IP addresses needed
az network asg create --name asg-web --resource-group rg-app
az network asg create --name asg-db --resource-group rg-app

az network nsg rule create \
  --nsg-name nsg-app --resource-group rg-app \
  --name allow-web-to-db \
  --priority 200 --protocol Tcp \
  --source-asgs asg-web \
  --destination-asgs asg-db \
  --destination-port-ranges 1433 --access Allow

Service Tags

Service TagRepresents
VirtualNetworkVNet address space + peered + connected VNets
AzureLoadBalancer168.63.129.16 (Azure health probe source IP)
InternetAll public IP addresses
AzureCloudAll Azure datacenter IPs (region-specific variants available)
Storage, Sql, AppServiceService-specific IP ranges (used with Service Endpoints)

Azure Firewall

Azure Firewall is a stateful, managed L4/L7 network firewall deployed in the hub VNet's AzureFirewallSubnet (minimum /26; no NSG or UDR allowed on this subnet). It provides FQDN-based filtering, Threat Intelligence feed, and central policy management via Firewall Policy.

Warning

Never place a UDR with 0.0.0.0/0 → Firewall on the AzureFirewallSubnet itself. This creates a routing loop that drops all traffic through the firewall. The route table must only be applied to spoke subnets, not the firewall's own subnet.

Firewall SKU Comparison

FeatureStandardPremium
FQDN / App / Network / NAT rulesYesYes
Threat IntelligenceYesYes
TLS InspectionNoYes
IDPSNoYes
URL FilteringNoYes
Web CategoriesNoYes
Azure Firewall Policy rule hierarchy. Policy contains Rule Collection Groups by priority. Each group contains DNAT, Network, or Application collections. Evaluation order: DNAT first, then Network, then Application. First match wins. Hub-and-spoke UDR requirements noted at the bottom.
Figure 10.2 — Firewall Policy hierarchy: Rule Collection Groups by priority, then DNAT → Network → Application
bash
# Firewall Policy with application rule for outbound HTTPS
az network firewall policy create \
  --name fwpol-hub --resource-group rg-hub \
  --sku Standard --threat-intel-mode Alert

az network firewall policy rule-collection-group create \
  --policy-name fwpol-hub --resource-group rg-hub \
  --name rcg-spokes --priority 200

az network firewall policy rule-collection-group collection \
  add-filter-collection \
  --policy-name fwpol-hub --resource-group rg-hub \
  --rule-collection-group-name rcg-spokes \
  --name rc-allow-windows-update \
  --collection-priority 300 --action Allow \
  --rule-type ApplicationRule \
  --rule-name allow-winupdate \
  --protocols Https=443 \
  --source-addresses "10.0.0.0/8" \
  --target-fqdns "*.update.microsoft.com" "*.windowsupdate.com"

DDoS Protection

DDoS Protection tier comparison. Left: IP Protection attaches to a single public IP with basic mitigation. Right: Network Protection attaches to the VNet, covers all PIPs with adaptive tuning, DDoS Rapid Response, and cost protection.
Figure 10.3 — DDoS IP Protection (per PIP, basic) vs Network Protection (per VNet, adaptive + DRR + cost protection)
bash
# DDoS Network Protection plan + VNet attachment
az network ddos-protection create \
  --name ddos-plan-prod \
  --resource-group rg-security \
  --location eastus2

az network vnet update \
  --name vnet-hub --resource-group rg-hub \
  --ddos-protection true \
  --ddos-protection-plan ddos-plan-prod

Lab: NSG with ASG and Firewall Policy

1

NSG with Application Security Groups (CE-22)

bash
RG="rg-lab-ch10"; LOC="eastus2"
az group create --name "$RG" --location "$LOC"

az network asg create --name asg-web \
  --resource-group "$RG" --location "$LOC"
az network asg create --name asg-db \
  --resource-group "$RG" --location "$LOC"
az network nsg create --name nsg-app \
  --resource-group "$RG" --location "$LOC"

az network nsg rule create \
  --nsg-name nsg-app --resource-group "$RG" \
  --name allow-web-to-db \
  --priority 200 --protocol Tcp \
  --source-asgs asg-web \
  --destination-asgs asg-db \
  --destination-port-ranges 1433 --access Allow
2

Firewall Policy with Application Rule (CE-23)

bash
az network firewall policy create \
  --name fwpol-lab --resource-group "$RG" \
  --location "$LOC" --sku Standard \
  --threat-intel-mode Alert

az network firewall policy rule-collection-group create \
  --policy-name fwpol-lab --resource-group "$RG" \
  --name rcg-lab --priority 300

az network firewall policy rule-collection-group collection \
  add-filter-collection \
  --policy-name fwpol-lab --resource-group "$RG" \
  --rule-collection-group-name rcg-lab \
  --name rc-allow-azure \
  --collection-priority 400 --action Allow \
  --rule-type ApplicationRule \
  --rule-name allow-azure \
  --protocols Https=443 \
  --source-addresses "10.0.0.0/8" \
  --target-fqdns "*.azure.com" "*.microsoft.com"

az group delete --name "$RG" --yes --no-wait

Summary

ConceptKey Fact
NSG priority100–4096; lowest number evaluated first; first match wins
LayeringInbound: subnet NSG first, then NIC NSG; both must allow
ASGGroup VMs by function; auto-apply rules without IP management
AzureLoadBalancer tagMust allow in NSG for health probes to reach VMs
Firewall StandardFQDN/App/Net/NAT rules + Threat Intel
Firewall Premium+ TLS Inspection, IDPS, URL filtering, Web categories
Rule eval orderDNAT → Network → Application; implicit deny at end
DDoS IP ProtectionPer PIP; basic mitigation; lower cost
DDoS Network ProtectionPer VNet; adaptive tuning + DRR + cost protection

Chapter 11 covers DNS Architecture — Azure DNS public zones, Private DNS Zones, auto-registration, and DNS Private Resolver for hybrid DNS forwarding.


Chapter: 10 of 12  |  Status: v0.1 Draft  |