Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
How Azure isolates networks, filters traffic, provides secure remote access, and protects secrets — the building blocks of a secure cloud environment.
Why infrastructure security matters
Imagine your Azure environment is an office building.
Virtual networks (VNets) are the floors of the building — each floor is isolated from the others. The accounting floor cannot see the engineering floor’s rooms unless you build a connecting staircase.
NSGs are the door locks on each room. You set rules: “Only people from HR can enter Room 301. Everyone else, turn around.”
Azure Bastion is a secure visitor entrance. Instead of giving maintenance workers a master key (a public IP), they walk through a monitored, locked corridor that connects directly to the room they need — and nothing else.
Key Vault is the office safe. Passwords, encryption keys, and certificates are stored inside. Only authorised people (and apps) can open it, and every access is logged.
Azure Virtual Networks (VNets)
An Azure Virtual Network (VNet) is a logically isolated network in Azure. Resources inside a VNet can communicate with each other, but resources in different VNets cannot — unless you explicitly connect them.
Key VNet concepts
| Concept | What it means |
|---|---|
| Address space | The range of private IP addresses available in the VNet (for example, 10.0.0.0/16) |
| Subnets | Divisions within a VNet that group related resources (for example, a “web” subnet and a “database” subnet) |
| Network segmentation | Separating workloads into different subnets or VNets so a compromise in one area does not spread to others |
| VNet peering | Connecting two VNets so resources can communicate across them (traffic stays on Microsoft’s backbone network) |
Why segmentation matters
Without segmentation, all resources in a flat network can communicate with everything else. If an attacker compromises one server, they can move laterally to every other server.
With segmentation: Alex places SecureBank’s web servers in one subnet, application servers in a second, and databases in a third. NSG rules ensure the web servers can only talk to the application tier, and only the application tier can reach the databases. If the web server is compromised, the attacker cannot jump directly to the database.
Network Security Groups (NSGs)
An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure VNets. You can attach an NSG to a subnet or to an individual network interface (NIC).
How NSG rules work
Each rule has these properties:
| Property | Description |
|---|---|
| Priority | A number from 100 to 4096. Lower numbers are processed first. |
| Source/Destination | IP address, range, service tag, or application security group |
| Port | Specific port or range (for example, 443 for HTTPS) |
| Protocol | TCP, UDP, ICMP, or Any |
| Action | Allow or Deny |
| Direction | Inbound or Outbound |
Default NSG rules
Every NSG includes three default inbound and three default outbound rules that you cannot delete:
Default inbound rules:
- Allow traffic from within the same VNet (VNet-to-VNet)
- Allow traffic from Azure Load Balancer
- Deny all other inbound traffic (catch-all deny)
Default outbound rules:
- Allow traffic to the same VNet
- Allow outbound internet traffic
- Deny all other outbound traffic
Exam tip: NSG rule processing
Rules are evaluated in priority order (lowest number first). Once a matching rule is found, processing stops.
This means a “Deny” rule at priority 100 will override an “Allow” rule at priority 200 for the same traffic. The exam often tests this concept with a scenario where someone creates an Allow rule but traffic is still blocked by a higher-priority Deny rule.
Comparing network security layers
| Feature | NSGs | Azure Firewall | WAF |
|---|---|---|---|
| Operates at | Subnet or NIC level | Virtual network level (centralised hub) | Application level (HTTP/HTTPS) |
| Filtering basis | IP, port, protocol | IP, port, protocol, FQDN, threat intelligence | HTTP request patterns (OWASP rules) |
| Cost | Free | Paid | Paid (via Application Gateway or Front Door) |
| Best for | Basic per-resource traffic control | Centralised enterprise network policy | Protecting web applications from exploits |
| Analogy | Room door locks | Building security desk | Bulletproof teller window |
Azure Bastion
Azure Bastion provides secure, browser-based RDP and SSH connectivity to your virtual machines — directly from the Azure portal, over TLS, without exposing any public IP addresses.
Why Bastion exists
Traditional remote access to VMs requires a public IP address on the VM. That public IP becomes an attack surface — scanners constantly probe public RDP (port 3389) and SSH (port 22) endpoints.
Azure Bastion eliminates this risk entirely:
| Without Bastion | With Bastion |
|---|---|
| VM needs a public IP address | No public IP needed on the VM |
| RDP/SSH ports exposed to the internet | Ports are only open to the Bastion service |
| Need VPN or jump box for secure access | Browser-based access from Azure portal over TLS |
| Vulnerable to port-scanning attacks | Attack surface removed completely |
How Bastion works
- Alex opens the Azure portal and selects a VM
- Clicks “Connect via Bastion”
- The Azure portal opens a browser-based RDP/SSH session
- Traffic flows: Alex’s browser —TLS—> Azure Bastion —private network—> the VM
- The VM never has a public IP. The connection is fully managed by Azure.
Exam tip: Bastion keywords
When the exam describes a scenario with “secure remote access without public IPs” or “browser-based RDP/SSH from the Azure portal” — the answer is Azure Bastion.
Remember: Bastion is a fully managed PaaS — Alex does not need to patch, update, or manage it. Azure handles the infrastructure. Bastion is available in four SKUs: Developer (free, for testing), Basic, Standard, and Premium — each adding features like scaling, native client support, and session recording.
Azure Key Vault
Azure Key Vault is a cloud service for securely storing and managing three types of sensitive objects:
| Object type | What it stores | Example |
|---|---|---|
| Secrets | Passwords, connection strings, API keys | Database password, third-party API token |
| Keys | Encryption keys (for encrypting/decrypting data) | Keys used by Azure Storage or Azure SQL encryption |
| Certificates | TLS/SSL certificates | HTTPS certificate for SecureBank’s web application |
Why not just store secrets in code or config files?
- Hardcoded secrets get committed to source control — anyone with repository access can see them
- Secrets in config files can be leaked through error messages, logs, or backups
- Rotation becomes a nightmare — you must find and update every copy manually
Key Vault solves all of this: secrets are stored centrally, accessed via API, protected by access policies, and every access is logged in an audit trail.
For higher security requirements, Azure Key Vault also supports Managed HSM — hardware security modules that meet FIPS 140-2 Level 3 validation for organisations with strict regulatory requirements.
Key Vault and managed identities
Managed identities let Azure resources (like a web app or VM) authenticate to Key Vault without storing any credentials in code. Azure manages the identity automatically.
Flow: Web app needs a database password —> Web app uses its managed identity to request the secret from Key Vault —> Key Vault verifies the identity and returns the secret —> No password is ever stored in code.
Scenario: Alex secures SecureBank's application secrets
SecureBank’s development team has been storing database connection strings in application config files. After a security review, Alex moves all secrets to Azure Key Vault.
- All connection strings, API keys, and certificates are moved to Key Vault
- Each application gets a managed identity
- Key Vault access policies grant each app access only to the secrets it needs (least privilege)
- The old config files are cleaned of all secrets
- Key Vault audit logs show exactly which app accessed which secret, and when
Director Reyes reviews the audit log: “I can see that only the banking app accessed the database credentials, and it happened at expected times. This is exactly the visibility we needed.”
🎬 Video walkthrough
🎬 Video coming soon
Azure Infrastructure Security — VNets, NSGs, Bastion & Key Vault (SC-900)
Azure Infrastructure Security — VNets, NSGs, Bastion & Key Vault (SC-900)
~10 minFlashcards
Knowledge check
SecureBank's web application currently stores its database password in a configuration file. Alex wants to move to a more secure approach where the password is stored centrally, access is audited, and the application does not hold any credentials in its code. What combination should Alex implement?
Alex needs to allow SecureBank's IT team to manage virtual machines remotely. The VMs are in a private subnet with no public IP addresses. The solution must not require a VPN or expose any ports to the internet. What should Alex use?
SecureBank has a VNet with three subnets: Web, Application, and Database. Alex wants to ensure that only the Application subnet can communicate with the Database subnet. Web servers should reach the Application subnet but never the Database directly. What should Alex configure?