This chapter covers Azure Network Security Perimeter, a critical topic for the AZ-500 exam under Domain: Network Security, Objective 3.1. You will learn how to design and implement network security controls to protect Azure resources, including Azure Firewall, Network Security Groups (NSGs), Application Security Groups (ASGs), and Azure DDoS Protection. Approximately 15-20% of exam questions touch network security, making this one of the most heavily weighted areas. Mastery of these concepts is essential for passing the exam and for real-world Azure security engineering.
Jump to a section
Think of an Azure virtual network (VNet) as a walled medieval city. The city has multiple districts (subnets), each with its own internal roads (routes). The city's main gatehouse — Azure Firewall — is the only controlled entry and exit point for all traffic entering or leaving the city. The gatehouse has a single, heavily fortified door (the public IP address) and a guard captain (the firewall policy) who inspects every packet. The guard captain has a rulebook: for each visitor, he checks the source (where they came from), destination (where they want to go), port (which type of business they have), and protocol (whether they come on horseback or foot). He also maintains a logbook (diagnostic logs) of every visitor. Inside the city, there are also smaller gates between districts (Network Security Groups) that allow or deny traffic between neighborhoods. The city has a map (route table) that tells travelers which roads to take to reach a specific district. If the guard captain sees a visitor trying to reach a restricted area, he denies entry. He also can sniff out malicious intent (threat intelligence) and block known bad actors. The gatehouse is stateless for NAT but stateful for filtering — it remembers ongoing conversations so return traffic is automatically allowed. This centralized control ensures no one enters or leaves the city without inspection, meeting compliance and security requirements.
What is Azure Network Security Perimeter?
Azure Network Security Perimeter refers to the collection of network security controls that protect Azure resources from unauthorized access and attacks. This includes both perimeter-level defenses (at the boundary of a virtual network) and internal segmentation controls. The primary components are Azure Firewall, Network Security Groups (NSGs), Application Security Groups (ASGs), Azure DDoS Protection, and User-Defined Routes (UDRs). The exam focuses on how these components work together to enforce a defense-in-depth strategy.
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
How it works: - Azure Firewall uses a static public IP address for your virtual network resources, allowing outside firewalls to identify traffic originating from your virtual network. - It is fully integrated with Azure Monitor for logging and analytics. - It supports both application (FQDN-based) and network (IP-based) filtering rules. - It can be deployed in a hub-and-spoke topology or directly in a VNet. - It supports DNAT (Destination Network Address Translation) to translate inbound traffic to private IP addresses. - It integrates with Azure Security Center and Azure Sentinel for threat intelligence.
Key features tested on the exam: - Application rules: Allow or deny outbound traffic based on fully qualified domain names (FQDNs). For example, allow access to *.windowsupdate.com. - Network rules: Allow or deny traffic based on source IP, destination IP, port, and protocol. - DNAT rules: Translate inbound traffic to internal resources. - Threat intelligence-based filtering: Enable alert and deny mode for malicious IPs and domains. - DNS proxy: Forward DNS queries from VMs to a custom DNS server. - TLS inspection (preview): Decrypt and inspect TLS traffic. - Web categories: Filter traffic based on web categories (e.g., social media, gambling).
Default values and limits: - Maximum throughput: 30 Gbps (Azure Firewall Premium can scale up to 100 Gbps). - Maximum number of rules: 10,000 per firewall policy. - Maximum number of public IP addresses: 250. - Maximum number of rule collection groups: 50. - Maximum number of DNAT rules: 500. - Maximum concurrent connections: 2 million.
Network Security Groups (NSGs)
NSGs are a fundamental network security control in Azure. They act as a distributed, stateless firewall at the subnet or NIC level. NSGs contain a list of security rules that allow or deny inbound and outbound traffic. Each rule specifies source, destination, port, and protocol.
How NSGs work: - NSGs are stateful for inbound traffic (return traffic is automatically allowed) but stateless for outbound (return traffic must be explicitly allowed). However, this is a common misconception: NSGs are actually stateful for both directions. For inbound rules, if you allow port 80 from the internet, the return traffic is allowed regardless of outbound rules. For outbound rules, if you allow outbound traffic to the internet, the return traffic is allowed regardless of inbound rules. This behavior is often tested. - NSGs can be associated with a subnet or a virtual network interface (NIC). When associated with a subnet, the rules apply to all VMs in that subnet. When associated with a NIC, the rules apply only to that specific VM. - Each NSG has a set of default rules that cannot be deleted but can be overridden with higher-priority rules. - The priority range is 100-4096. Lower numbers have higher priority.
Default rules: - AllowVNetInBound: Allow inbound traffic from within the virtual network (priority 65000). - AllowAzureLoadBalancerInBound: Allow inbound traffic from Azure Load Balancer (priority 65001). - DenyAllInbound: Deny all other inbound traffic (priority 65500). - AllowVNetOutBound: Allow outbound traffic to within the virtual network (priority 65000). - AllowInternetOutBound: Allow outbound traffic to the internet (priority 65001). - DenyAllOutBound: Deny all other outbound traffic (priority 65500).
Exam-critical details: - NSGs are evaluated based on the effective rules, which are the combination of subnet-level and NIC-level NSGs. When both are applied, the NIC-level rules override subnet-level rules? No — they are additive. The actual effective rule is the union of both, with the most restrictive rule winning? Actually, NSG rules are evaluated in priority order. If a rule at the subnet level denies traffic and a rule at the NIC level allows it, the deny rule (higher priority? No, priority is per NSG, not cross-NSG). The effective rules are the combination of both NSGs. If a subnet NSG denies traffic and a NIC NSG allows it, the traffic is denied because the subnet NSG is evaluated first? No, this is a common trap. The correct behavior: When both subnet and NIC NSGs are applied, the traffic must pass both NSGs. So if the subnet NSG denies, traffic is denied regardless of the NIC NSG. If the subnet NSG allows, then the NIC NSG is evaluated. So effectively, the most restrictive rule applies.
Application Security Groups (ASGs)
ASGs allow you to group virtual machines logically by application workload, rather than by IP address. You can then use ASGs as source or destination in NSG rules. This simplifies rule management, especially when VMs are dynamically scaled.
How ASGs work: - You create an ASG and assign it to a VM's NIC. - In an NSG rule, you can specify the ASG as the source or destination, instead of IP ranges. - When a VM is added to an ASG, the NSG rules automatically apply to that VM. - ASGs are scoped to a single resource group. - A VM can be in up to 20 ASGs. - ASGs cannot be used with Azure Firewall rules.
Azure DDoS Protection
Azure DDoS Protection protects against distributed denial-of-service attacks. There are two tiers: Basic (free, automatically enabled) and Standard (paid, for production workloads).
DDoS Protection Basic: - Automatic, always-on monitoring and mitigation of common network-layer attacks. - No configuration required. - Mitigation triggers when attack traffic exceeds thresholds.
DDoS Protection Standard: - Tailored protection for Azure virtual networks. - Includes mitigation reports, flow logs, and alerting. - Covers volumetric attacks (e.g., UDP floods), protocol attacks (e.g., SYN floods), and resource-layer attacks (e.g., DNS amplification). - Provides cost protection: if your resource is scaled up due to an attack, you get a credit for the additional costs. - Integrates with Azure Monitor and Azure Security Center. - Application to a specific virtual network (not per VM). - Mitigation policies are adaptive based on traffic patterns.
User-Defined Routes (UDRs)
UDRs override Azure's default routing behavior. They are used to force traffic through a firewall or virtual appliance. For example, you can create a route that sends all internet-bound traffic to Azure Firewall for inspection.
How UDRs work: - Routes are stored in route tables, which are associated with subnets. - Each route contains an address prefix (destination) and a next hop type. - Next hop types: VirtualNetworkGateway, VNetLocal, Internet, VirtualAppliance, or None. - Forcing traffic through a firewall: Set next hop type to VirtualAppliance and specify the firewall's private IP. - The route table must be associated with the subnet containing the VMs. - Azure Firewall must have an additional route (0.0.0.0/0 to Internet) to forward traffic after inspection.
Interaction Between Components
In a typical hub-and-spoke topology:
Hub VNet contains Azure Firewall and a route table that sends all traffic through the firewall.
Spoke VNets are peered to the hub. They have route tables that send traffic to the hub firewall.
NSGs are applied at the subnet level in spoke VNets for east-west traffic segmentation.
ASGs are used to simplify NSG rules for application tiers.
DDoS Protection Standard is enabled on the hub VNet's public IP.
Configuration Examples
Azure Firewall deployment (PowerShell):
# Create a public IP
$pip = New-AzPublicIpAddress -Name "fw-pip" -ResourceGroupName "rg" -Location "eastus" -AllocationMethod Static -Sku Standard
# Create firewall subnet (must be named AzureFirewallSubnet)
$subnet = New-AzVirtualNetworkSubnetConfig -Name "AzureFirewallSubnet" -AddressPrefix "10.0.1.0/24"
# Create VNet
$vnet = New-AzVirtualNetwork -Name "vnet" -ResourceGroupName "rg" -Location "eastus" -AddressPrefix "10.0.0.0/16" -Subnet $subnet
# Create firewall
$fw = New-AzFirewall -Name "fw" -ResourceGroupName "rg" -Location "eastus" -VirtualNetworkName "vnet" -PublicIpName "fw-pip"NSG rule (CLI):
az network nsg rule create \
--resource-group rg \
--nsg-name myNSG \
--name AllowSSH \
--priority 100 \
--source-address-prefixes 192.168.1.0/24 \
--destination-port-ranges 22 \
--access Allow \
--protocol TcpUDR to force traffic through firewall (PowerShell):
$route = New-AzRouteConfig -Name "DefaultRoute" -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress 10.0.1.4
$rt = New-AzRouteTable -Name "myRouteTable" -ResourceGroupName "rg" -Location "eastus" -Route $route
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "subnet" -VirtualNetwork $vnet
$subnet.RouteTable = $rt
Set-AzVirtualNetwork -VirtualNetwork $vnetDesign Hub-and-Spoke Topology
First, design a hub-and-spoke network topology. The hub VNet contains shared resources like Azure Firewall and a bastion host. Spoke VNets host application workloads. VNet peering connects spokes to the hub. Ensure no overlapping IP address spaces. The hub VNet must have a subnet named 'AzureFirewallSubnet' with a /26 or larger prefix. This subnet is dedicated to the firewall and cannot have any other resources. The firewall's public IP must be Standard SKU. This design centralizes egress and ingress traffic control.
Deploy and Configure Azure Firewall
Deploy Azure Firewall in the hub VNet. Create a firewall policy that includes application rules (e.g., allow *.azure.com), network rules (e.g., allow DNS to 8.8.8.8:53), and DNAT rules (e.g., map public IP:3389 to internal VM:3389). Enable threat intelligence in alert or deny mode. Configure DNS proxy if needed. For high availability, Azure Firewall is automatically deployed across availability zones if supported. The firewall uses a static public IP; you can have up to 250 public IPs for DNAT. Verify the firewall is 'Succeeded' and has a private IP.
Configure User-Defined Routes
Create a route table in the hub VNet with a default route (0.0.0.0/0) pointing to the firewall's private IP as VirtualAppliance. Associate this route table with the GatewaySubnet (if using VPN/ER) and with each spoke subnet. For spoke VNets, create a route table with a default route to the firewall's private IP. Do NOT associate the route table with the AzureFirewallSubnet itself. Also, add a route for traffic between spokes to go through the firewall (e.g., 10.2.0.0/16 -> VirtualAppliance -> firewall IP). Without this, spoke-to-spoke traffic will bypass the firewall.
Apply Network Security Groups
Apply NSGs to subnets for east-west traffic segmentation. For example, in a spoke VNet, create an NSG for the web tier subnet allowing inbound HTTP/HTTPS from the internet (via firewall) and allowing outbound to app tier. For the app tier subnet, allow inbound only from web tier and outbound to database tier. For the database tier, allow inbound only from app tier on port 1433. Use ASGs to group VMs by role (e.g., web servers, app servers) and reference ASGs in NSG rules. This makes rules dynamic and easier to manage when VMs scale.
Enable Monitoring and DDoS Protection
Enable Azure DDoS Protection Standard on the hub VNet (not on individual public IPs). Configure diagnostic settings for Azure Firewall to send logs to Log Analytics workspace. Enable NSG flow logs for traffic analysis. Set up alerts for firewall rule hits, DDoS attacks, and NSG denied traffic. Use Azure Security Center to get recommendations on network security. For compliance, ensure all internet-bound traffic passes through the firewall (no direct internet access from spoke VMs). Use Azure Policy to enforce NSG and route table configurations.
In a typical enterprise deployment, a multinational company uses Azure to host its customer-facing web application and internal ERP system. The network security perimeter is designed as follows:
Scenario 1: E-commerce platform The company has a three-tier application: web servers, application servers, and database servers, all in a spoke VNet. Azure Firewall in the hub VNet inspects all inbound and outbound traffic. Inbound HTTPS traffic goes through the firewall's DNAT rule to the web tier's internal load balancer. Outbound traffic from the web tier to the internet (e.g., credit card processing) is forced through the firewall with application rules allowing only specific FQDNs. The database tier has an NSG that allows only the app tier on port 1433. ASGs group the web and app servers, so when new instances are added during peak shopping seasons, NSG rules automatically apply. DDoS Protection Standard is enabled on the hub VNet's public IP. This setup handled 50,000 concurrent users with 99.99% uptime. Misconfiguration: Initially, the route table was not applied to the spoke subnet, so outbound traffic bypassed the firewall, leading to a security breach. After adding the route, traffic was properly inspected.
Scenario 2: Healthcare data processing A healthcare provider processes patient data in Azure, requiring HIPAA compliance. They use Azure Firewall Premium for TLS inspection to decrypt and inspect HTTPS traffic to detect malware. The firewall logs are sent to Azure Sentinel for threat hunting. NSGs are used to isolate development, staging, and production environments in separate spoke VNets. UDRs force all traffic between spokes through the firewall. A common mistake is forgetting to add routes for spoke-to-spoke traffic, resulting in traffic bypassing the firewall. The solution requires careful planning of IP address spaces to avoid overlap. Performance: With 10 Gbps throughput, the firewall handles 1 million concurrent connections. When misconfigured with too many rules (over 10,000), rule evaluation slows down, causing latency. Regularly reviewing rule effectiveness is critical.
Scenario 3: Hybrid network with VPN A company connects its on-premises network to Azure via VPN gateway. The hub VNet contains Azure Firewall and the VPN gateway. UDRs in the hub force all on-premises traffic to the firewall for inspection before reaching spoke VNets. NSGs on spoke subnets allow only traffic from the firewall's private IP. A common issue: if the route table on the GatewaySubnet doesn't point to the firewall, traffic from on-premises bypasses it. Also, ensure the firewall's network rules allow the VPN gateway's public IP range for management traffic. This setup provides a secure hybrid perimeter.
The AZ-500 exam tests Azure Network Security Perimeter under Objective 3.1: 'Implement and manage network security.' Specific sub-objectives include: - 3.1.1: Configure network security groups (NSGs) and application security groups (ASGs). - 3.1.2: Configure Azure Firewall. - 3.1.3: Implement Azure DDoS Protection. - 3.1.4: Configure user-defined routes (UDRs). - 3.1.5: Implement virtual network peering and service endpoints.
Common wrong answers: 1. 'NSGs are stateless' — Many candidates think NSGs are stateless like traditional firewalls. Reality: NSGs are stateful for both inbound and outbound traffic. Return traffic is automatically allowed if the original traffic was allowed. This is a frequent trick question. 2. 'ASGs can be used in Azure Firewall rules' — ASGs are only for NSG rules, not Azure Firewall. Candidates confuse the two. 3. 'Azure Firewall must be deployed in a dedicated subnet named GatewaySubnet' — The correct subnet name is 'AzureFirewallSubnet', not GatewaySubnet. GatewaySubnet is for VPN/ER gateways. 4. 'UDRs with next hop VirtualAppliance require the appliance to have a public IP' — The next hop is the private IP of the firewall. No public IP needed. 5. 'DDoS Protection Standard is applied per VM' — It is applied per virtual network, not per VM.
Specific numbers and terms: - NSG priority range: 100-4096. - Default NSG rules: AllowVNetInBound (65000), DenyAllInbound (65500). - Azure Firewall subnet name: AzureFirewallSubnet, minimum size /26. - Azure Firewall maximum rules: 10,000 per policy. - DDoS Protection Standard cost: ~$2,944/month per VNet (as of 2023).
Edge cases: - When both subnet and NIC NSGs are applied, the traffic must pass both. The most restrictive rule wins (deny overrides allow). - Azure Firewall can be deployed in a VNet that already has resources, but the firewall subnet must be empty. - Service endpoints (e.g., for Storage) bypass the firewall if not explicitly routed through UDRs. To force traffic through firewall, use service endpoint policies or disable service endpoints and use private endpoints.
Eliminating wrong answers: - If the question mentions 'stateful' and 'NSG', remember NSGs are stateful. - If the question mentions 'application rule' and 'FQDN', think Azure Firewall, not NSG. - If the question mentions 'DDoS' and 'cost protection', it's DDoS Protection Standard. - If the question mentions 'route table' and 'next hop', check if the next hop type is VirtualAppliance for firewall.
NSGs are stateful for both inbound and outbound traffic; return traffic is automatically allowed.
Azure Firewall requires a dedicated subnet named 'AzureFirewallSubnet' with a minimum /26 prefix.
UDRs with next hop type VirtualAppliance force traffic through the firewall; use private IP of firewall.
ASGs can only be used in NSG rules, not in Azure Firewall rules.
DDoS Protection Standard is applied per virtual network, not per VM or public IP.
When both subnet and NIC NSGs are applied, traffic must pass both; the most restrictive rule wins.
Azure Firewall supports application rules (FQDN) and network rules (IP), and DNAT for inbound traffic.
Service endpoints bypass Azure Firewall unless UDRs force traffic through it.
Azure Firewall Premium includes TLS inspection and IDPS capabilities.
Default NSG rules cannot be deleted but can be overridden with higher-priority custom rules (priority 100-4096).
These come up on the exam all the time. Here's how to tell them apart.
Network Security Group (NSG)
Distributed, stateless (actually stateful) firewall at subnet/NIC level
No cost (free, but subject to Azure resource limits)
Supports IP-based rules only (source/destination IP, port, protocol)
Can be associated with subnets or individual NICs
Limited to 5,000 rules per NSG (default 1,000)
Azure Firewall
Centralized, stateful firewall as a service
Paid service (based on deployment hours and data processing)
Supports IP-based, FQDN-based (application rules), and DNAT rules
Deployed in a dedicated subnet (AzureFirewallSubnet) in a VNet
Up to 10,000 rules per firewall policy
Mistake
Network Security Groups (NSGs) are stateless firewalls.
Correct
NSGs are actually stateful. When you allow inbound traffic, the return outbound traffic is automatically allowed, regardless of outbound rules. Similarly, allowing outbound traffic automatically allows the return inbound traffic. This is a common exam trap.
Mistake
Application Security Groups (ASGs) can be used in Azure Firewall rules.
Correct
ASGs are only supported in NSG rules, not in Azure Firewall rules. Azure Firewall uses IP addresses, FQDNs, or service tags. ASGs are a logical grouping for VMs within a VNet.
Mistake
Azure Firewall must be deployed in a subnet named GatewaySubnet.
Correct
Azure Firewall requires a dedicated subnet named 'AzureFirewallSubnet' (case-sensitive). GatewaySubnet is for VPN and ExpressRoute gateways. Using the wrong subnet name will cause deployment failure.
Mistake
User-Defined Routes (UDRs) with next hop type VirtualAppliance require the appliance to have a public IP.
Correct
The next hop IP address must be the private IP of the virtual appliance (e.g., Azure Firewall). The appliance does not need a public IP for routing; public IPs are used for internet-facing traffic.
Mistake
Azure DDoS Protection Standard is automatically enabled for all Azure resources.
Correct
Only DDoS Protection Basic is automatically enabled for all Azure resources. DDoS Protection Standard must be explicitly enabled on a per-virtual-network basis and has an additional cost.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Firewall is a centralized, stateful firewall as a service that provides application and network filtering across VNets. It supports FQDN-based rules, DNAT, and integrates with threat intelligence. NSGs are distributed, stateful firewalls at the subnet or NIC level, limited to IP-based rules. Azure Firewall is paid; NSGs are free. Use NSGs for east-west segmentation and Azure Firewall for perimeter control.
No. Application Security Groups are only supported in NSG rules. Azure Firewall uses IP addresses, FQDNs, or service tags in its rules. If you need to group VMs logically, use ASGs with NSGs for internal traffic and IP-based rules in Azure Firewall for perimeter traffic.
Create a route table with a default route (0.0.0.0/0) and next hop type VirtualAppliance, specifying the private IP of Azure Firewall. Associate the route table with all subnets that should route through the firewall (except AzureFirewallSubnet). Also, ensure Azure Firewall has a default route to the internet (0.0.0.0/0 -> Internet) to forward traffic after inspection.
Default NSG rules have priorities 65000, 65001, and 65500. They cannot be deleted or modified, but you can override them by creating custom rules with lower priority numbers (100-4096). For example, a custom rule with priority 100 will be evaluated before the default rules.
DDoS Protection Standard is enabled on a virtual network, not on individual resources. It protects all public IP addresses associated with resources in that VNet, including VMs, load balancers, and application gateways. It does not protect private IPs or on-premises resources.
Use the 'Effective security rules' feature in the Azure portal for a VM's NIC to see which NSG rules apply. Check NSG flow logs (if enabled) to see denied traffic. Also, use Azure Network Watcher's IP flow verify to test if traffic is allowed or denied. Common issues: rule priority misconfiguration, missing allow rules, or incorrect source/destination.
Yes, Azure Firewall Premium supports TLS inspection (preview). It can decrypt outbound TLS traffic, inspect it for threats, and re-encrypt it. This requires a certificate authority and is configured in the firewall policy. Standard Azure Firewall does not support TLS inspection.
You've just covered Azure Network Security Perimeter — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?