πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-104 Domain 4
Domain 4 β€” Module 3 of 5 60%
21 of 27 overall

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery
Domain 4: Implement and Manage Virtual Networking Premium ⏱ ~12 min read

NSGs & Application Security Groups

Network Security Groups are Azure's built-in stateful firewall. Learn how NSG rules work, how priority determines which rule wins, how Application Security Groups simplify rule management, and how to evaluate effective security rules.

What are Network Security Groups?

β˜• Simple explanation

An NSG is a bouncer with a guest list β€” it checks every packet arriving at your network and decides: let it in, or turn it away.

Think of NSG rules like airport security checkpoints. Each rule says β€œif the traffic matches this source, destination, port, and protocol, then allow or deny it.” Rules have a priority number β€” the bouncer checks from lowest number (highest priority) first and follows the first matching rule.

NSGs are stateful: if you allow an inbound request, the response is automatically allowed out. No need for a separate outbound rule for return traffic.

A Network Security Group (NSG) contains a list of security rules that filter network traffic to and from Azure resources connected to a VNet. NSGs operate at Layer 4 (transport layer) and are stateful β€” return traffic for an allowed flow is automatically permitted.

NSGs can be associated with subnets and/or network interfaces (NICs). When associated with both, inbound traffic is evaluated at the subnet NSG first, then the NIC NSG. Outbound traffic is evaluated at the NIC NSG first, then the subnet NSG. Traffic must be allowed by BOTH NSGs to pass through.

NSG rule anatomy

Each NSG rule has these components:

PropertyDescription
Priority100 to 4096 β€” lower number means higher priority
SourceIP address, CIDR range, service tag, or ASG
Source portPort or range (usually * for any)
DestinationIP address, CIDR range, service tag, or ASG
Destination portPort or range (e.g., 80, 443, 3389)
ProtocolTCP, UDP, ICMP, or Any
ActionAllow or Deny

Rules are evaluated in priority order (lowest number first). The first matching rule wins β€” all subsequent rules are ignored for that packet.

Default rules

Every NSG comes with three inbound and three outbound default rules that you cannot delete (but can override with higher-priority rules):

Default inbound rules:

PriorityNameEffect
65000AllowVNetInBoundAllows all traffic within the VNet
65001AllowAzureLoadBalancerInBoundAllows health probes from Azure Load Balancer
65500DenyAllInBoundDenies all other inbound traffic

Default outbound rules:

PriorityNameEffect
65000AllowVNetOutBoundAllows all outbound traffic within the VNet
65001AllowInternetOutBoundAllows all outbound traffic to the internet
65500DenyAllOutBoundDenies all other outbound traffic
πŸ’‘ Exam tip: Default deny inbound, allow outbound

By default, an NSG denies all inbound traffic from the internet but allows all outbound traffic to the internet. This is the baseline behaviour. You add rules with lower priority numbers to allow specific inbound traffic (e.g., priority 100 to allow HTTPS on port 443).

You can also add Deny rules with lower priorities to override the default Allow rules. For example, a priority 100 Deny rule for outbound internet would override the default AllowInternetOutBound (65001).

Service tags

Instead of listing IP addresses, you can use service tags β€” predefined labels that represent groups of Azure IP addresses:

Service TagRepresents
InternetAll public internet IP addresses
VirtualNetworkThe VNet address space, peered VNets, and on-prem (via VPN)
AzureLoadBalancerAzure’s infrastructure load balancer
StorageAzure Storage IP addresses
SqlAzure SQL Database IP addresses
AzureActiveDirectoryMicrosoft Entra ID IP addresses

Service tags are maintained by Microsoft and update automatically β€” no need to track Azure IP range changes yourself.

Application Security Groups (ASGs)

ASGs let you group VMs logically and use those groups in NSG rules instead of listing individual IP addresses.

ASGs simplify NSG rule management dramatically
ApproachWithout ASGsWith ASGs
Rule source/destinationIndividual IP addresses (10.0.1.4, 10.0.1.5, ...)ASG name (e.g., 'WebServers')
Adding a new VMUpdate every NSG rule with the new IPAdd the VM's NIC to the ASG β€” rules auto-apply
ReadabilityHard to understand which IPs are whichClear intent β€” 'Allow WebServers to reach DbServers'
MaintenanceError-prone as IPs changeZero rule changes needed

How to use ASGs:

  1. Create ASGs: β€œWebServers”, β€œAppServers”, β€œDbServers”
  2. Assign VM NICs to the appropriate ASG
  3. Write NSG rules using ASGs as source or destination
Real-world: Meridian Financial's micro-segmentation

Meridian Financial uses ASGs to enforce strict micro-segmentation across their 200+ VMs:

  • ASG: WebTier β€” 40 front-end VMs
  • ASG: AppTier β€” 60 application VMs
  • ASG: DbTier β€” 20 database VMs

NSG rules:

  • Allow Internet to WebTier on port 443 (HTTPS only)
  • Allow WebTier to AppTier on port 8080 (API calls)
  • Allow AppTier to DbTier on port 1433 (SQL)
  • Deny all other inter-tier traffic

When they add a new app server, Alex just adds the NIC to the AppTier ASG. No NSG rule changes needed.

NSG association: Subnet vs NIC

NSGs can be associated with subnets, NICs, or both:

AssociationWhen Traffic is EvaluatedCommon Use
Subnet NSGAll traffic entering/leaving the subnetBroad rules for an entire tier
NIC NSGTraffic to/from a specific VMVM-specific rules
BothTraffic must pass BOTH NSGsDefence in depth

When both are applied:

  • Inbound: Subnet NSG evaluates first, then NIC NSG. Must be allowed by BOTH.
  • Outbound: NIC NSG evaluates first, then Subnet NSG. Must be allowed by BOTH.

Evaluating effective security rules

With NSGs at both subnet and NIC levels, it can be hard to know what’s actually allowed. Azure provides the Effective security rules view on a NIC, showing the combined result of all NSG rules applied to that interface.

Access it via: VM > Networking > Effective security rules (or via Network Watcher > Effective security rules)

πŸ’‘ Exam tip: Traffic must pass BOTH NSGs

If you have an NSG on the subnet allowing port 443 but the NIC-level NSG denies it, traffic is blocked. Both must allow for traffic to flow. This is the most common configuration mistake β€” check effective security rules to see the combined picture.

Question

Are NSGs stateful or stateless?

Click or press Enter to reveal answer

Answer

Stateful. If you create an inbound Allow rule for port 443, the return traffic (outbound response) is automatically allowed without needing a separate outbound rule. This is different from stateless firewalls (like classic ACLs) where you need rules in both directions.

Click to flip back
Question

What are the three default inbound NSG rules?

Click or press Enter to reveal answer

Answer

AllowVNetInBound (priority 65000) β€” allows traffic within the VNet. AllowAzureLoadBalancerInBound (priority 65001) β€” allows load balancer health probes. DenyAllInBound (priority 65500) β€” blocks everything else. You cannot delete these rules but can override them with higher-priority rules.

Click to flip back
Question

What is an Application Security Group (ASG)?

Click or press Enter to reveal answer

Answer

An ASG is a logical grouping of VM network interfaces. Instead of using IP addresses in NSG rules, you reference ASG names (e.g., 'WebServers', 'DbServers'). When you add a VM to an ASG, all NSG rules referencing that ASG automatically apply. No rule changes needed when VMs are added or removed.

Click to flip back

Knowledge check

Knowledge Check

Alex has two NSG rules on the same NSG. Rule A (priority 100) allows inbound TCP port 443 from the Internet. Rule B (priority 200) denies all inbound traffic from the Internet. What happens when someone tries to access port 443 from the internet?
Knowledge Check

CloudFirst Labs has an NSG on the subnet that allows port 22 (SSH). They also have a separate NSG on the VM's NIC that does NOT have a rule for port 22. Can Alex SSH into the VM?
Knowledge Check

Meridian Financial has 50 web servers that all need the same NSG rules. The web servers frequently scale in and out (IPs change). What is the best approach?

🎬 Video coming soon

← Previous

VNet Peering & User-Defined Routes

Next β†’

Azure Bastion, Service & Private Endpoints

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.