This chapter covers Azure Virtual Network security, a core domain in the AZ-500 exam, representing approximately 15-20% of questions. You will learn how to design and implement network security controls including Network Security Groups (NSGs), Azure Firewall, DDoS Protection, Service Endpoints, and Private Link. Understanding these components is critical for protecting Azure resources from unauthorized access and network-based attacks, and for passing the exam.
Jump to a section
Think of an Azure Virtual Network as a high-security corporate building. Network Security Groups (NSGs) are the security guards at each door, checking IDs (source/destination IP, port, protocol) and denying entry unless the visitor is on an explicit allow list. Azure Firewall is the central security checkpoint at the main entrance, performing deep packet inspection, URL filtering, and logging all traffic. Azure DDoS Protection is the external perimeter defense—like reinforced walls and anti-ramming barriers—that absorbs and deflects large-scale attacks before they reach the building. Service Endpoints are private tunnels from specific rooms (subnets) to external services (like Azure Storage), bypassing the public internet. Private Link is a dedicated, private elevator from a specific room directly to a service inside another building, ensuring no traffic ever touches the public internet. Just as a building's security has multiple layers—guards, checkpoint, walls, tunnels—Azure VNet security layers NSGs, Firewall, DDoS Protection, Service Endpoints, and Private Link to protect resources.
What is Virtual Network Security?
Azure Virtual Network (VNet) security encompasses the controls and services that protect network traffic within and between VNets, and between VNets and the internet or on-premises networks. The primary goal is to enforce the principle of least privilege: only necessary traffic is allowed, and all other traffic is denied by default. The AZ-500 exam focuses on five key technologies: Network Security Groups (NSGs), Azure Firewall, Azure DDoS Protection, Service Endpoints, and Private Link.
Network Security Groups (NSGs)
An NSG is a stateful, distributed firewall that filters traffic to and from Azure resources within a VNet. It operates at OSI layers 3 (network) and 4 (transport). NSGs contain a list of security rules that are evaluated in priority order (lowest number first). Each rule specifies: - Source and destination: IP addresses, service tags, or application security groups - Port and protocol: TCP, UDP, or Any (including ICMP) - Direction: Inbound or outbound - Action: Allow or Deny - Priority: 100-4096 (lower number = higher priority)
NSGs are stateful: if you allow inbound traffic on port 443, the outbound response traffic is automatically allowed regardless of outbound rules. Similarly, if you allow outbound traffic, the inbound response is allowed. This statefulness applies only to flows initiated by an allowed rule; it does not allow unsolicited inbound traffic.
Default rules: Every NSG has three default inbound rules and three default outbound rules. Inbound: 1. AllowVNetInBound (priority 65000): Allows all traffic within the VNet. 2. AllowAzureLoadBalancerInBound (priority 65001): Allows traffic from Azure Load Balancer health probes. 3. DenyAllInBound (priority 65500): Denies all other inbound traffic. Outbound: 1. AllowVNetOutBound (priority 65000): Allows all outbound traffic within the VNet. 2. AllowInternetOutBound (priority 65001): Allows all outbound traffic to the internet. 3. DenyAllOutBound (priority 65500): Denies all other outbound traffic.
Service tags: Azure provides predefined service tags (e.g., Internet, VirtualNetwork, AzureLoadBalancer, Sql, Storage) that represent groups of IP addresses for Azure services. Using service tags simplifies rule creation and automatically updates as IP ranges change.
Application Security Groups (ASGs): ASGs allow you to group VMs logically (e.g., by application tier) and reference the group in NSG rules. For example, you can create a rule that allows traffic from the "Web" ASG to the "App" ASG on port 8080. This decouples network security from IP addresses.
NSG flow logs: To monitor traffic, you can enable NSG flow logs (via Network Watcher) which capture information about allowed and denied traffic. Flow logs are sent to a storage account or Log Analytics workspace for analysis.
Azure Firewall
Azure Firewall is a managed, cloud-native network security service that provides stateful filtering, threat intelligence, and high availability. It is deployed in a dedicated subnet called AzureFirewallSubnet (minimum /26). Unlike NSGs, Azure Firewall operates at layers 3-7, enabling application-level filtering.
Key features:
- Application rules: Allow or deny outbound HTTP/HTTPS traffic based on FQDNs (fully qualified domain names). For example, you can allow access to *.microsoft.com but block *.example.com.
- Network rules: Filter traffic based on source/destination IP, port, and protocol (similar to NSGs but with additional capabilities).
- DNAT rules: Inbound destination network address translation to expose internal resources (e.g., map public IP:port to private IP:port).
- Threat intelligence: Based on Microsoft threat intelligence feeds, it can alert and deny traffic from/to known malicious IPs and domains.
- TLS inspection: Optionally decrypt and inspect outbound TLS traffic (requires a certificate).
- Logging and analytics: Integrated with Azure Monitor and Log Analytics.
Firewall policy: A global resource that contains rule collections (application, network, DNAT, and threat intelligence) and can be associated with multiple firewalls. This enables centralized management.
Availability: Azure Firewall is zone-redundant and supports availability zones. It scales automatically based on traffic load.
Forced tunneling: You can configure the firewall to send all outbound traffic to an on-premises network via a VPN or ExpressRoute for inspection.
Azure DDoS Protection
Azure DDoS Protection (Standard tier) defends Azure resources against distributed denial-of-service attacks. It is always-on and uses adaptive tuning to learn normal traffic patterns.
Tiers: - Basic: Automatically enabled on all Azure resources, provides protection against common network-layer attacks. - Standard: Provides enhanced protection for VNet resources. Includes attack analytics, alerts, and mitigation reports. Costs approximately $2,944/month per 100 resources (as of 2025).
How it works: DDoS Protection monitors traffic and triggers mitigation when it detects a deviation from baseline. It uses a combination of scrubbing, rate limiting, and protocol validation. Protection is applied at the VNet level, not per resource.
Metrics: You can monitor DDoS attacks via Azure Monitor metrics such as "Inbound packets dropped" and "TCP SYN packets."
Service Endpoints
Service Endpoints extend your VNet identity to Azure services (e.g., Azure Storage, Azure SQL Database) over the Azure backbone network. When enabled, traffic from a VNet to the service goes directly over the Microsoft network, not the public internet. The service sees the traffic as coming from the VNet's private IP addresses, not the public IP of the VM.
How to configure: Enable a service endpoint on a subnet for a specific service (e.g., Microsoft.Storage). Then configure the service's firewall to allow access only from that subnet's IP range. This restricts access to the service from only your VNet.
Limitations: Service Endpoints only work for PaaS services that support them. They do not provide private IP connectivity (the service still has a public endpoint). For private IP connectivity, use Private Link.
Private Link
Private Link provides private connectivity to Azure PaaS services (e.g., Azure Storage, Azure SQL Database) or your own services behind Azure Load Balancer. It uses a private endpoint—a network interface with a private IP from your VNet—that connects to the service over the Microsoft backbone. Traffic never traverses the public internet.
Private Endpoint: A resource that creates a NIC in your VNet with a private IP. It is associated with a private link service (the target service). For example, you can create a private endpoint for an Azure SQL Server; then the SQL Server becomes accessible via private IP only (if public access is disabled).
Private Link Service: You can create your own private link service behind a Standard Load Balancer, allowing consumers to connect privately from their VNets.
DNS configuration: Private endpoints require DNS resolution to the private IP. Azure automatically creates a private DNS zone (e.g., privatelink.database.windows.net) that maps the service's FQDN to the private IP.
Interaction Between Technologies
In a typical secure architecture, you combine these technologies:
Use NSGs for basic subnet-level filtering.
Use Azure Firewall for centralized, advanced filtering and logging.
Use DDoS Protection Standard to protect against volumetric attacks.
Use Service Endpoints or Private Link for secure access to PaaS services.
For example, a web application might have:
VNet with subnets: Frontend, Backend, Data.
NSGs on each subnet: Frontend allows inbound HTTP/HTTPS from internet, Backend allows only from Frontend on port 8080, Data allows only from Backend on port 1433.
Azure Firewall in a hub VNet with forced tunneling for outbound traffic inspection.
DDoS Protection Standard on the hub VNet.
Private endpoints for Azure SQL Database in the Data subnet.
Configuration Examples
Creating an NSG rule with Azure CLI:
az network nsg rule create \
--resource-group myRG \
--nsg-name myNSG \
--name AllowHTTP \
--priority 100 \
--direction Inbound \
--source-address-prefixes Internet \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 80 \
--protocol Tcp \
--access AllowDeploying Azure Firewall with policy (Azure CLI):
# Create firewall policy
az network firewall policy create \
--name myPolicy \
--resource-group myRG
# Add a network rule collection
az network firewall policy rule-collection-group collection add-filter-collection \
--policy-name myPolicy \
--resource-group myRG \
--name myNetworkRules \
--priority 100 \
--collection-type Network \
--action Allow \
--rule-name AllowSSH \
--rule-type NetworkRule \
--source-addresses 10.0.0.0/24 \
--destination-addresses 10.1.0.4 \
--destination-ports 22 \
--protocols TCPEnabling DDoS Protection Standard on a VNet:
az network ddos-protection create \
--resource-group myRG \
--name myDdosProtection \
--vnets myVNet \
--location eastusCreating a private endpoint for Azure SQL Database:
az network private-endpoint create \
--resource-group myRG \
--name myPrivateEndpoint \
--vnet-name myVNet \
--subnet mySubnet \
--private-connection-resource-id $(az sql server show -g myRG -n mySqlServer --query id -o tsv) \
--group-id sqlServer \
--connection-name myConnectionPlan VNet and Subnet Architecture
Design the VNet address space and subnets based on resource segmentation (e.g., frontend, backend, data). Ensure subnets have enough IP addresses for current and future resources. Identify which subnets require NSGs, which will use Azure Firewall, and where Private Link or Service Endpoints are needed. For example, a typical three-tier app uses three subnets: Frontend (10.0.1.0/24), Backend (10.0.2.0/24), Data (10.0.3.0/24). The AzureFirewallSubnet must be a dedicated /26 subnet.
Configure Network Security Groups (NSGs)
Deploy Azure Firewall
Create a resource group for the firewall. Deploy Azure Firewall in a hub VNet with AzureFirewallSubnet. Create a firewall policy with network, application, and DNAT rules. For example, allow outbound HTTPS to *.microsoft.com, block all other outbound except to specific IPs. Configure forced tunneling via a route table to send internet-bound traffic to the firewall. Test connectivity by launching a VM in the spoke VNet and verifying traffic flows through the firewall.
Enable DDoS Protection Standard
Create a DDoS protection plan and associate it with the VNet(s) that contain public-facing resources. This plan covers all resources in the VNet. Monitor DDoS metrics in Azure Monitor. Configure alerts for attack detection (e.g., when inbound packets dropped exceed threshold). Note that DDoS Protection does not replace NSGs or Firewall; it operates at the network perimeter to absorb volumetric attacks.
Implement Private Link or Service Endpoints
For PaaS services that need private access, choose between Service Endpoints (simpler, but service still has public endpoint) and Private Link (true private IP connectivity). For Azure SQL Database, create a private endpoint in the Data subnet. Disable public access on the SQL server. Configure DNS private zones so that the SQL server FQDN resolves to the private IP. Test connectivity from a backend VM using the FQDN; it should resolve to the private IP.
Enterprise Scenario 1: E-commerce Platform Migration to Azure
A large retailer migrating its e-commerce platform to Azure needed to protect against DDoS attacks and secure access to databases. They deployed a hub-and-spoke VNet topology with Azure Firewall in the hub for centralized inspection. NSGs on each spoke subnet enforced micro-segmentation: web servers only allowed inbound HTTP/HTTPS, app servers only allowed traffic from web servers on port 8080, and database servers only allowed traffic from app servers on port 1433. DDoS Protection Standard was enabled on the hub VNet. Private endpoints were used for Azure SQL Database and Azure Storage (for backups). During a Black Friday sale, they experienced a SYN flood attack; DDoS Protection mitigated it without impacting legitimate traffic. The NSGs prevented lateral movement when a web server was compromised; the attacker could not reach the database directly. Performance was monitored via NSG flow logs and Azure Firewall logs; they found that forced tunneling through the firewall introduced 2ms latency, which was acceptable. Misconfiguration risk: initially, the NSG for the app subnet mistakenly allowed all inbound traffic from the internet (priority 100) due to a copy-paste error, exposing the app servers. This was caught during a security review and fixed.
Enterprise Scenario 2: Healthcare Application with Compliance Requirements
A healthcare provider required HIPAA compliance for a patient portal. They used Service Endpoints for Azure SQL Database and Azure Cosmos DB to ensure traffic stayed on the Microsoft backbone. However, they later switched to Private Link to meet strict compliance requirements that mandated data never touch the public internet. They created private endpoints for each service and disabled public access. They also configured Azure Firewall to log all outbound traffic and used Log Analytics to audit for data exfiltration. The firewall's threat intelligence blocked outbound connections to known malicious IPs. One challenge was DNS resolution: they had to configure custom DNS servers to resolve the private endpoint FQDNs. They also used NSG flow logs to investigate an anomaly where a VM was sending large amounts of data to an unknown IP; the logs showed the traffic was denied by an NSG rule, preventing a potential breach. Scale: they managed 50 VNets across multiple regions, using Azure Firewall policies for consistent rule enforcement.
Common Pitfalls
Overly permissive NSG rules: Allowing all traffic within a VNet (default AllowVNetInBound) is often too permissive. Many enterprises create custom deny rules for intra-subnet traffic.
Forgetting to disable public access on PaaS services: When using Private Link, you must disable public access on the service side; otherwise, the service remains accessible from the internet.
Not planning for AzureFirewallSubnet size: The subnet must be /26 or larger; if too small, the firewall fails to deploy.
Ignoring DNS private zones: Without proper DNS configuration, private endpoints will not resolve correctly, leading to connectivity failures.
What AZ-500 Tests on Virtual Network Security
AZ-500 objective 3.1 focuses on implementing network security controls. The exam expects you to:
Configure NSG rules with appropriate priorities, source/destination, and service tags.
Understand the difference between NSGs and Azure Firewall.
Deploy Azure Firewall and configure network/application/DNAT rules.
Enable DDoS Protection Standard and interpret attack metrics.
Implement Service Endpoints and Private Link.
Troubleshoot connectivity issues.
Common Wrong Answers and Why Candidates Choose Them
"NSGs are stateful, so you must create inbound and outbound rules for each flow." Wrong: NSGs are stateful; outbound response traffic is automatically allowed. Candidates often think they need symmetric rules.
"Azure Firewall replaces NSGs; you don't need both." Wrong: They are complementary. NSGs provide distributed filtering; Firewall provides centralized inspection. The exam tests that you use both in a defense-in-depth strategy.
"Service Endpoints provide private IP connectivity." Wrong: Service Endpoints only ensure traffic stays on the Azure backbone; the service still has a public endpoint. Private Link provides private IP connectivity.
"DDoS Protection Standard is enabled by default." Wrong: Basic is free and enabled by default; Standard requires explicit enablement and costs extra.
Specific Numbers and Terms to Memorize
NSG priority range: 100-4096. Default rules: 65000, 65001, 65500.
AzureFirewallSubnet minimum size: /26.
DDoS Protection Standard cost: ~$2,944/month per 100 resources (as of 2025).
Service Endpoint service names: Microsoft.Storage, Microsoft.Sql, etc.
Private Link uses private endpoints; the service must be behind a Standard Load Balancer.
Edge Cases and Exceptions
NSG effective rules: When troubleshooting, use the "effective rules" view to see which rules apply to a NIC (combining subnet NSG and NIC NSG). The exam may ask about rule evaluation order.
Azure Firewall SNAT: By default, Azure Firewall SNATs outbound traffic to its public IP. This can be disabled for specific destination IPs.
Private Link and DNS: If you don't configure private DNS zones, the service FQDN resolves to the public IP, breaking private connectivity.
DDoS Protection and NSGs: DDoS Protection does not inspect packets; it only drops malicious traffic at the perimeter. NSGs still filter allowed traffic.
How to Eliminate Wrong Answers
If a question asks about "private connectivity to PaaS" and options include Service Endpoints and Private Link, rule out Service Endpoints because they don't provide private IP.
If a question involves "centralized network policy," Azure Firewall is the answer, not NSGs.
If a question mentions "cost-effective DDoS protection," Basic is free but Standard provides advanced features. The exam often asks for the "recommended" solution.
For "stateful filtering," remember that NSGs are stateful, Azure Firewall is also stateful, but the exam may compare to legacy solutions.
NSGs are stateful and have default rules: AllowVNetInBound (65000), AllowAzureLoadBalancerInBound (65001), DenyAllInBound (65500).
Azure Firewall requires a dedicated subnet named AzureFirewallSubnet with minimum /26 size.
DDoS Protection Standard is not free; Basic is free and always-on. Standard costs ~$2,944/month per 100 resources.
Service Endpoints do not provide private IP; they keep traffic on Azure backbone. Private Link provides a private IP.
Private Link requires a private DNS zone (e.g., privatelink.database.windows.net) for FQDN resolution to the private IP.
NSG flow logs can be enabled via Network Watcher to capture allowed/denied traffic for analysis.
Azure Firewall supports DNAT for inbound port forwarding, application rules for FQDN filtering, and threat intelligence integration.
For forced tunneling, configure a route table on the gateway subnet to send all internet-bound traffic to Azure Firewall.
These come up on the exam all the time. Here's how to tell them apart.
Network Security Group (NSG)
Distributed, stateful firewall at subnet or NIC level.
Operates at layers 3-4 (network and transport).
No cost for rules; only cost for flow logs.
Cannot filter based on FQDNs or perform TLS inspection.
Default rules allow all VNet traffic and internet outbound.
Azure Firewall
Centralized, stateful firewall as a managed service.
Operates at layers 3-7 (including application layer).
Cost based on deployment hours and data processing.
Can filter outbound HTTP/HTTPS by FQDN and perform TLS inspection.
Default deny all; you must explicitly allow traffic.
Service Endpoints
Traffic from VNet to PaaS service stays on Azure backbone.
Service still has a public endpoint; accessible from internet.
No extra cost; just enable on subnet and service firewall.
Works only for supported Azure PaaS services.
Uses public IP of the service; no private IP assigned.
Private Link
Provides a private IP in your VNet for the service.
Service can be made completely private (disable public access).
Cost for private endpoint and data processed.
Works for Azure PaaS and your own services via Private Link Service.
Uses private IP; requires DNS private zone for FQDN resolution.
Mistake
NSGs allow all traffic within the same subnet by default.
Correct
NSGs do not affect traffic within the same subnet unless the NSG is associated at the subnet level and the rule explicitly denies or allows intra-subnet traffic. The default AllowVNetInBound rule allows all traffic within the VNet, including same-subnet traffic. To restrict intra-subnet traffic, you must add a deny rule with a lower priority than the default allow (e.g., priority 100).
Mistake
Azure Firewall can replace NSGs entirely.
Correct
Azure Firewall and NSGs serve different purposes. NSGs provide distributed, subnet/NIC-level filtering with low latency. Azure Firewall provides centralized, application-level inspection and logging. For defense-in-depth, you use both: NSGs for micro-segmentation and Firewall for perimeter control.
Mistake
Service Endpoints make the service accessible only via private IP.
Correct
Service Endpoints do not assign a private IP to the service. The service still has a public endpoint; the traffic from the VNet to the service goes over the Azure backbone, but the service's public endpoint is still reachable from the internet. To make the service accessible only via private IP, you must use Private Link and disable public access.
Mistake
DDoS Protection Standard automatically blocks all DDoS attacks.
Correct
DDoS Protection Standard mitigates volumetric attacks (e.g., SYN floods, UDP floods) but does not block application-layer attacks (e.g., HTTP floods). For application-layer protection, you need Azure Web Application Firewall (WAF) or other application-level controls.
Mistake
Private Link requires a VPN or ExpressRoute to work.
Correct
Private Link works over the Azure backbone network within the same region. It does not require VPN or ExpressRoute. However, for cross-premises connectivity, you can use VPN/ExpressRoute to access the private endpoint from on-premises.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, and it is recommended for defense-in-depth. NSGs provide distributed filtering at the subnet or NIC level, while Azure Firewall provides centralized, application-layer inspection and logging. Typically, you place NSGs on each subnet to enforce micro-segmentation, and route all internet-bound traffic through the firewall. For example, a web subnet might have an NSG allowing inbound HTTP/HTTPS from the internet, and outbound traffic to the firewall. The firewall then inspects and logs outbound connections.
Service Endpoints extend your VNet identity to Azure PaaS services, ensuring traffic stays on the Microsoft backbone. However, the service retains its public endpoint and can still be accessed from the internet. Private Link creates a private endpoint in your VNet with a private IP, making the service accessible only via private IP (if public access is disabled). Private Link is more secure but incurs additional cost. Use Service Endpoints for simple scenarios where you want to keep traffic on Azure backbone but don't need private IP; use Private Link for strict security requirements.
First, verify that the private endpoint is in the same region and VNet as the client. Check that the private endpoint's connection state is 'Approved' (if manual approval is required). Ensure the service's public access is disabled (if you want private-only). Then test DNS resolution: the service FQDN should resolve to the private IP. If not, check that the private DNS zone (e.g., privatelink.database.windows.net) is linked to the VNet. You can use nslookup or Azure DNS diagnostics. Also verify that NSGs and route tables allow traffic to the private endpoint's IP.
Default inbound rules: AllowVNetInBound (priority 65000), AllowAzureLoadBalancerInBound (65001), DenyAllInBound (65500). Default outbound rules: AllowVNetOutBound (65000), AllowInternetOutBound (65001), DenyAllOutBound (65500). These rules cannot be deleted but can be overridden by custom rules with lower priority numbers (100-4096). For example, a custom rule with priority 100 to deny all inbound traffic will override the default allow rules because lower priority numbers are evaluated first.
Yes, by default Azure Firewall performs Source Network Address Translation (SNAT) for outbound traffic, replacing the source IP with the firewall's public IP. This is required for internet-bound traffic from private IPs. You can disable SNAT for specific destination IPs using a network rule with the 'DisableSNAT' property set to true. This is useful when you want to preserve the original source IP for logging or when connecting to on-premises networks that have firewall rules based on source IP.
Create a DDoS protection plan in the Azure portal, Azure CLI, or PowerShell. Then associate the plan with one or more VNets. For example, in Azure CLI: `az network ddos-protection create --resource-group myRG --name myPlan --vnets myVNet --location eastus`. The plan applies to all resources within the associated VNets. You can monitor attacks using Azure Monitor metrics like 'Inbound packets dropped' and set up alerts. Standard protection costs approximately $2,944/month per 100 resources.
NSG flow logs capture information about IP traffic flowing through an NSG, including allowed and denied flows. They are stored in a storage account or Log Analytics workspace and can be used for network monitoring and security analysis. Azure Firewall logs provide more detailed information, including application-level data, threat intelligence alerts, and rule hits. Firewall logs are essential for auditing and compliance, while NSG flow logs are better for understanding traffic patterns and troubleshooting connectivity issues at the subnet level.
You've just covered Virtual Network Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?