Network Security Groups (NSGs)
A Network Security Group (NSG)A stateful packet-filtering firewall that contains inbound and outbound security rules. Can be associated with a subnet, a network interface (NIC), or both. Processing stops at the first matching rule.
Each NSG rule has:
- Priority: 100–4096. Lower numbers = higher priority (evaluated first).
- Source / Destination: Any, IP address/CIDR, service tag, or ASG.
- Protocol: TCP, UDP, ICMP, or Any.
- Action: Allow or Deny.
When an NSG is on both a subnet and a NIC, traffic must pass both: subnet NSG is evaluated first for inbound; NIC NSG is evaluated first for outbound.
Default rules (cannot be deleted, only overridden):
| Priority | Name | Direction | Effect |
|---|---|---|---|
| 65000 | AllowVNetInBound | Inbound | Allows traffic from VirtualNetwork service tag |
| 65001 | AllowAzureLoadBalancerInBound | Inbound | Allows health probes from Azure Load Balancer |
| 65500 | DenyAllInBound | Inbound | Denies all other inbound traffic |
| 65000 | AllowVNetOutBound | Outbound | Allows traffic to VirtualNetwork service tag |
| 65001 | AllowInternetOutBound | Outbound | Allows outbound traffic to Internet |
| 65500 | DenyAllOutBound | Outbound | Denies all other outbound traffic |
Service tagsNamed groups of IP prefixes managed by Microsoft (e.g., Internet, VirtualNetwork, AzureLoadBalancer, Storage, Sql). Using service tags avoids hardcoding IP ranges that change over time. are named groups of IP prefixes managed by Microsoft that avoid hardcoding IP ranges that change over time.
Application Security Groups (ASGs)
Application Security Groups (ASGs)Logical groupings of VM network interfaces by application role (e.g., AsgWeb, AsgDb). Used as source or destination in NSG rules — without specifying IP addresses, making rules portable and maintainable as VMs scale. are logical groupings of VM network interfaces by application role, used as source or destination in NSG rules without specifying IP addresses.
Key ASG constraints:
- ASGs must be in the same region and VNet as the VMs assigned to them
- You cannot combine an ASG reference with an IP address range in the same source or destination field
- A NIC can belong to multiple ASGs
- NSG rules referencing an ASG only apply to NICs that are members of that ASG
Azure Bastion
Azure BastionA PaaS service that provides secure, browser-based RDP/SSH connectivity to VMs over TLS port 443, eliminating the need for a public IP on the target VM. Deployed into a dedicated subnet named AzureBastionSubnet (minimum /26). is a PaaS service providing secure, browser-based RDP/SSH to VMs over TLS port 443, deployed into the dedicated AzureBastionSubnet (minimum /26).
| SKU | Key Capabilities | Public IP Required |
|---|---|---|
| Developer | Free; shared infrastructure; 1 VM at a time; no peering support | No |
| Basic | Dedicated; fixed capacity (2 instances); VNet peering support | Yes |
| Standard | Native client, host scaling (2–50 instances), custom ports, file transfer | Yes |
| Premium | All Standard + session recording + private-only deployment | Optional |
The target VM does not need a public IP, agent, or special client software. Downgrading SKUs after deployment is not supported.
Service Endpoints vs. Private Endpoints
A VNet service endpointExtends your VNet's private address space to an Azure PaaS service over an optimized route on the Microsoft backbone. Traffic exits the VNet but stays on the Azure backbone. The PaaS service sees the VM's private VNet IP as the source. extends your VNet's private address space to a PaaS service over the Microsoft backbone, with the PaaS service seeing the VM's private VNet IP as the source. A Private endpointInjects a dedicated private IP address from your VNet into an Azure PaaS resource. Traffic flows over Private Link and never uses a public IP. The PaaS service can have its public access disabled entirely. injects a dedicated private IP from your VNet into a PaaS resource, allowing the PaaS service's public access to be disabled entirely.
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Assigns private IP in your VNet | No | Yes |
| On-premises access support | No (by default) | Yes |
| Public access can be fully disabled | No | Yes |
| Data exfiltration protection | No | Yes |
| DNS changes required | No | Yes (Private DNS zone) |
| Cost | Free | Billed per hour + data |
| Scope | Entire service type | Specific resource instance |
NSG Priority — Lower Number = Higher Priority
Exam Trap
"A lower priority number means a lower priority rule." → The opposite is true. In NSGs, lower numbers = higher priority. A rule with priority 100 is evaluated BEFORE a rule with priority 200. Processing stops at the first match.
ASG Cross-VNet Limitation
Exam Trap
"You can assign an ASG from one VNet as the destination in an NSG that filters another VNet's traffic." → ASGs and the NSG rules that reference them must exist in the same VNet. Cross-VNet ASG references are not supported.
Azure Bastion Subnet Requirements
Must Memorize
- The subnet must be named exactly AzureBastionSubnet (case-sensitive)
- For Basic, Standard, and Premium SKUs, the subnet must be /26 or larger
- The target VM only needs a private IP — no public IP, no agent, no client software required
- Downgrading SKUs after deployment is NOT supported
NSG Rule — ASG + IP Mixed Source
Exam Trap
"A single NSG rule can reference both an ASG and an IP range as source." → Not allowed. You cannot mix ASG references and IP address ranges as the source or destination within a single NSG rule. Use separate rules instead.
Service Endpoint Source IP
Exam Trap
"With a service endpoint, the PaaS service sees a private IP that belongs to the service, not your VM." → The source IP that the PaaS service's firewall logs is your VM's private VNet IP, not a public address or service-owned IP. This is why switching to service endpoints can break existing IP-based firewall rules that expected a public IP.
Private Endpoint vs. Service Endpoint for On-Premises
Must Memorize
Service endpoints cannot be used to access PaaS from on-premises networks by default. Private endpoints can be accessed from on-premises over ExpressRoute or VPN — this is a key differentiator often tested.
Create and Associate an NSG
- Portal → Search → Network security groups → + Create
- Choose subscription, resource group, name, region → Review + create
- Open the NSG → Settings → Inbound security rules → + Add
- Set Source, Source port ranges (
*), Destination, Destination port ranges, Protocol, Action, Priority, Name - To associate with a subnet: Settings → Subnets → + Associate → pick VNet and subnet
Create an Application Security Group and Assign a VM
- Portal → Search → Application security groups → + Create → choose region
- Open the target VM → Networking → Network settings → select the NIC
- Under Application security groups → + Add application security groups → select the ASG
Deploy Azure Bastion
- Portal → Target VNet → Settings → Bastion → Deploy Bastion
- Or: Search → Bastions → + Create
- Ensure VNet has an AzureBastionSubnet subnet with at least /26 prefix
- Assign a Standard SKU static public IP; choose desired SKU (Basic, Standard, or Premium)
- After deployment: navigate to target VM → Connect → Bastion → enter credentials
Configure a Service Endpoint
- Portal → Virtual networks → select VNet → Subnets → click the target subnet
- Under Service endpoints → click the dropdown → select the service (e.g.,
Microsoft.Storage) - Save; then go to the Storage account → Networking → Firewalls and virtual networks → add the VNet/subnet
Create a Private Endpoint
- Portal → target resource (e.g., Storage account) → Networking → Private endpoint connections → + Private endpoint
- Or: Search → Private endpoints → + Create
- Select resource, sub-resource (e.g.,
blob), VNet and subnet - Integrate with a private DNS zone (recommended: auto-creates the
privatelink.*zone)
AZ-104 Exam Focus
Exam Trap
"A lower priority number means a lower priority rule." → Lower numbers = higher priority in NSGs. A rule at priority 100 is evaluated before a rule at priority 200.
Exam Trap
"You can assign an ASG from one VNet as the destination in an NSG filtering another VNet's traffic." → ASGs and NSG rules that reference them must exist in the same VNet. Cross-VNet ASG references are not supported.
Exam Trap
"Azure Bastion requires a public IP on the target VM." → Bastion specifically removes that requirement. The VM only needs a private IP. Bastion itself holds the public IP.
Exam Trap
"The AzureBastionSubnet can be any size as long as there's room." → For dedicated SKUs (Basic, Standard, Premium), the subnet must be /26 or larger.
Exam Trap
"A single NSG rule can reference both an ASG and an IP range as source." → Not allowed. Use separate rules for ASG references and IP ranges.
Exam Tip
Private endpoints are Microsoft's recommended approach for new deployments — stronger isolation, on-premises support, data exfiltration protection, and full public access disable capability that service endpoints lack.
Question — click to flip
Q: In an NSG, which rule has higher priority: priority 100 or priority 500?
Question — click to flip
Q: What is the minimum size required for the AzureBastionSubnet?
Question — click to flip
Q: Does the target VM need a public IP when connecting via Azure Bastion?
Question — click to flip
Q: What source IP does a PaaS service firewall log when a VM with a service endpoint sends traffic to it?
Question — click to flip
Q: Can service endpoints be used to access PaaS resources from on-premises networks?
Question — click to flip
Q: What constraint applies to combining an ASG reference and an IP address range in a single NSG rule?