🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 5
Domain 5 — Module 2 of 5 40%
23 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 5: Network Security Services Premium ⏱ ~11 min read

Flow Logs, IP Flow Verify & Network Manager Security

Analyse traffic with VNet flow logs, diagnose NSG issues with IP Flow Verify, and enforce security policies with AVNM security admin rules.

Flow Logs, IP Flow Verify & Network Manager Security

This module combines diagnostic tools (flow logs, IP Flow Verify) with centralised security enforcement (AVNM security admin rules). Both are high-value exam topics.

🎬 Video coming soon

Flow Logs and Network Manager Security

Flow Logs and Network Manager Security

~11:00
☕ Simple explanation

Flow logs are your network’s CCTV footage — they record every allowed and denied connection. IP Flow Verify is your quick security check. And Azure Virtual Network Manager security admin rules are the corporate policy that overrides local decisions — even if a team opens a port, the admin rule can block it.

Three tools for NSG visibility: VNet Flow Logs capture all traffic flows at the VNet level. IP Flow Verify tests a specific 5-tuple against NSG rules. AVNM Security Admin Rules provide centralised security rules that take precedence over NSG rules across network groups.

VNet Flow Logs

VNet flow logs capture traffic flow information for all traffic in a VNet — which VMs communicated, on which ports, and whether traffic was allowed or denied.

Flow log fields:

FieldDescription
TimestampWhen the flow was recorded
Source IPOriginating IP address
Destination IPTarget IP address
Source portOriginating port
Destination portTarget port
ProtocolTCP, UDP, or other
DirectionInbound or outbound
ActionAllowed or denied
Flow stateBegin, continuing, or end
Bytes/PacketsVolume of traffic (if enabled)
NSG Flow Logs vs VNet Flow Logs
FeatureNSG Flow Logs (Legacy)VNet Flow Logs (Recommended)
ScopePer-NSG — only captures traffic evaluated by that NSGPer-VNet — captures all traffic flowing through the VNet
Traffic coverageMisses traffic not evaluated by an NSGCaptures all traffic regardless of NSG association
ManagementMust enable on each NSG individuallyEnable once per VNet — covers all subnets and NICs
RecommendedNo — legacy option maintained for backward compatibilityYes — simpler to manage with better coverage
Encrypted VNet supportNoYes
Output formatJSON to Storage AccountJSON to Storage Account (same format, richer data)

Setup steps:

  1. Create a Storage Account (flow logs are written here as JSON)
  2. Enable VNet flow logs on the target VNet (or NSG for legacy NSG flow logs)
  3. Optionally enable Traffic Analytics (processes logs for visualisation)
  4. Configure retention (1-365 days)

🏢 Ravi’s scenario — Detecting RDP brute force: Ravi notices failed RDP connections in his flow logs:

Multiple entries showing:
Source: Various external IPs
Destination: 10.10.11.5 (management VM)
Port: 3389
Action: Denied

Hundreds of denied RDP attempts from different IPs — classic brute-force pattern. Ravi confirms his NSG is blocking the attempts and adds the source IP ranges to a deny-all rule for extra safety. He also moves RDP access exclusively to Azure Bastion.

IP Flow Verify — Troubleshooting NSG Issues

IP Flow Verify tells you exactly which NSG rule is allowing or denying a specific packet.

🔒 Aisha’s troubleshooting scenario: A developer reports that their VM (10.20.1.10) can’t reach the API server (10.20.2.20) on port 8080. Aisha runs IP Flow Verify:

  • VM: Developer’s VM NIC
  • Direction: Outbound
  • Protocol: TCP
  • Local port: * (any)
  • Remote IP: 10.20.2.20
  • Remote port: 8080

Result: “Access denied — NSG rule DenyAll at priority 4000 on NIC nsg-dev-vm”

Aisha discovers someone added a blanket deny rule on the NIC-level NSG. She adds an allow rule at priority 300 for port 8080 to the ApiServers ASG, and connectivity is restored.

AVNM Security Admin Rules

Azure Virtual Network Manager (AVNM) security admin rules provide centralised, enforced security that overrides local NSG rules.

Comparison with NSG rules:

FeatureNSG RulesAVNM Security Admin Rules
ScopePer subnet or NICNetwork group (many VNets)
Who managesVNet/resource ownersCentral network admin
Can be overriddenYes (by higher-priority rules)Depends on action type
ActionsAllow, DenyAlways Allow, Allow, Deny
Use caseWorkload-level securityOrganisation-wide policy enforcement

AVNM rule actions:

ActionWhat It Does
Always AllowTraffic is allowed and cannot be overridden by NSG deny rules. Useful for management traffic that must always work (monitoring, patching).
AllowTraffic is allowed by AVNM, then NSG rules are evaluated. NSG can still deny the traffic.
DenyTraffic is denied and cannot be overridden by NSG allow rules. Useful for enforcing bans (e.g., no RDP from internet).

🔒 Aisha’s scenario — Deny RDP from internet: Sentinel Banking’s policy says no VM should ever accept RDP from the internet, regardless of what individual teams configure in their NSGs.

Aisha creates an AVNM security admin rule:

  • Network group: All production VNets
  • Direction: Inbound
  • Source: Internet
  • Destination: Any
  • Port: 3389
  • Action: Deny

Now even if a team accidentally creates an NSG rule allowing RDP from the internet, the AVNM deny rule blocks it. The central admin rule wins.

ℹ️ Rule Evaluation Order

When traffic arrives at a VM, rules are evaluated in this order:

1. AVNM Security Admin Rules (evaluated first)

  • Always Allow → traffic passes, skip NSG for this traffic
  • Deny → traffic blocked, NSG never sees it
  • Allow → traffic continues to NSG evaluation

2. NSG Rules (evaluated second)

  • Subnet NSG → NIC NSG (for inbound)
  • NIC NSG → Subnet NSG (for outbound)
  • Standard priority-based evaluation within each NSG

3. Default implicit rules (if no match)

  • NSG default deny applies

The key insight: AVNM “Deny” and “Always Allow” are absolute — NSGs cannot override them. AVNM “Allow” just passes the traffic to NSGs for further evaluation.

This makes AVNM the right tool for organisation-wide guardrails:

  • Deny RDP from internet (no team can override)
  • Always Allow monitoring traffic (no team can accidentally block it)

Key Takeaways

  • VNet flow logs capture all traffic in a VNet; NSG flow logs are the legacy per-NSG option
  • IP Flow Verify pinpoints exactly which NSG rule allows or denies a packet
  • AVNM security admin rules are evaluated BEFORE NSG rules
  • AVNM “Deny” cannot be overridden by NSGs; “Always Allow” cannot be blocked by NSGs
  • Use AVNM for organisation-wide guardrails; NSGs for workload-level control

Test Your Knowledge

Question

In what order are AVNM and NSG rules evaluated?

Click or press Enter to reveal answer

Answer

AVNM security admin rules first, then NSG rules. AVNM Deny blocks traffic before NSG sees it. AVNM Always Allow passes traffic without NSG evaluation. AVNM Allow passes traffic to NSG for further evaluation.

Click to flip back
Question

What is the difference between VNet flow logs and NSG flow logs?

Click or press Enter to reveal answer

Answer

VNet flow logs capture all traffic in a VNet regardless of NSG rules — simpler to manage, better coverage. NSG flow logs capture traffic per-NSG only. VNet flow logs are the modern, recommended approach.

Click to flip back
Question

What does the AVNM 'Always Allow' action do?

Click or press Enter to reveal answer

Answer

Traffic is allowed and passes through without NSG evaluation. Even if an NSG has a deny rule for this traffic, it's bypassed. Used for critical management traffic (monitoring, patching) that must never be blocked.

Click to flip back
Knowledge Check

Aisha creates an AVNM security admin rule denying RDP from internet. A team member creates an NSG rule allowing RDP from internet at priority 100. What happens to RDP traffic?
Knowledge Check

Ravi sees hundreds of denied connections from external IPs to port 3389 in his VNet flow logs. What is this pattern most likely?

Next up: Azure Firewall: SKUs and Deployment — Centralised, stateful firewall with threat intelligence, IDPS, and TLS inspection.

← Previous

NSGs and Application Security Groups

Next →

Azure Firewall: SKUs and Deployment

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.