This chapter covers Adaptive Network Hardening (ANH), a feature of Azure Security Center that uses machine learning to analyze network traffic and recommend hardened Network Security Group (NSG) rules. It is a key topic under Cloud Security (Objective 3.1) in the SC-200 exam, typically appearing in 3-5% of questions. You will learn how ANH works, how to configure it, and how to interpret its recommendations to reduce the attack surface of your Azure virtual machines.
Jump to a section
Imagine your home has a smart security system that learns from your daily routines. Initially, you set rules: doors lock at 10 PM, windows stay closed. But the system also observes actual activity—it sees you open the back door every morning at 7 AM to let the dog out, and that you always close it within 5 minutes. Over time, it builds a 'normal' pattern. One day, at 3 AM, it detects the back door opening and not closing after 10 seconds. The system flags this as anomalous, checks its learned baseline, and decides to automatically lock the door and alert you. It doesn't just follow static rules; it adapts based on observed traffic patterns. Similarly, Azure Adaptive Network Hardening uses machine learning to analyze actual network traffic patterns in Azure, identifies normal and anomalous flows, and then automatically tightens Network Security Group (NSG) rules to restrict unnecessary access. Just as your smart home system reduces false alarms by learning your habits, Adaptive Network Hardening reduces the attack surface by learning which ports and IPs are actually used, and then creating just-in-time, specific allow rules while blocking the rest. It's not a static firewall; it's an evolving, behavior-based defense that adjusts as your workload changes.
What is Adaptive Network Hardening?
Adaptive Network Hardening (ANH) is a cloud-native capability within Microsoft Defender for Cloud (formerly Azure Security Center) that uses machine learning to analyze actual network traffic patterns of Azure virtual machines (VMs). It then provides recommendations to harden Network Security Group (NSG) rules by narrowing allowed traffic to only what is genuinely needed. The goal is to reduce the attack surface by eliminating overly permissive rules (e.g., allowing all traffic from the internet on port 22) and replacing them with precise, learned rules.
How It Works Internally
ANH operates in three phases: observation, learning, and recommendation.
Observation: ANH continuously monitors traffic flows through the Azure platform. It collects data from the network layer, including source IP addresses, destination IP addresses, ports, protocols, and whether the traffic was allowed or denied by the current NSG rules. This data is aggregated over a period of at least 30 days to establish a baseline.
Learning: A machine learning model analyzes the observed traffic to identify patterns. It distinguishes between regular, expected traffic (e.g., SSH from a management jump box) and anomalous traffic (e.g., a port scan). The model builds a profile of 'normal' traffic for each VM. Key parameters include: - Traffic volume: Number of flows per port per source IP. - Temporal patterns: Time-of-day and day-of-week variations. - Geographic distribution: Source IP geolocation. - Protocol mix: TCP vs UDP vs ICMP usage.
Recommendation: Based on the learned profile, ANH generates a set of recommended NSG rules. These rules are more restrictive than the current rules. For example, if a VM currently allows all inbound traffic on port 443, but ANH observes that only three specific IP ranges actually connect, it will recommend a rule that allows only those three IP ranges. The recommendation includes: - Allowed source IP ranges (CIDR notation) - Allowed destination ports - Protocol (TCP, UDP, or Any) - A severity score (High, Medium, Low) indicating the risk reduction potential.
Key Components, Values, and Defaults
Traffic data retention: ANH uses at least 30 days of historical data. If a VM is less than 30 days old, recommendations may be unavailable or less accurate.
Recommendation refresh: Recommendations are recalculated every 24 hours based on the latest traffic data.
Rule enforcement: ANH does not automatically apply rules. It generates recommendations that you must review and apply manually via the Azure portal or PowerShell. You can also create an 'enforce' action using Azure Policy or custom scripts.
Supported resources: ANH is available for Azure VMs (both Windows and Linux) that are associated with a NSG. It is not available for on-premises VMs or other Azure resources like App Services.
Defender for Cloud pricing: ANH requires Microsoft Defender for Cloud's enhanced security features (paid tier). It is not available in the free tier.
Configuration and Verification
Enabling ANH: 1. Navigate to Microsoft Defender for Cloud > Environment settings > Select your subscription > Expand 'Security policies' > Ensure 'Adaptive Network Hardening' is enabled (it is on by default for subscriptions with enhanced security). 2. VMs must have a NSG attached. ANH will automatically start collecting traffic data.
Viewing Recommendations:
In Defender for Cloud, go to 'Recommendations' and search for 'Adaptive network hardening recommendations should be applied on internet-facing virtual machines'.
Click on a recommendation to see the list of VMs and their specific rule suggestions.
Applying Recommendations via PowerShell:
$subscriptionId = "<your-subscription-id>"
$resourceGroupName = "<your-resource-group>"
$vmName = "<your-vm-name>"
$recommendation = Get-AzSecurityAdaptiveNetworkHardening -ResourceGroupName $resourceGroupName -VmName $vmName -SubscriptionId $subscriptionId
$recommendation.Rules | ForEach-Object {
# Apply each rule to the NSG
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $recommendation.AssociatedNetworkSecurityGroups[0]
$nsg | Add-AzNetworkSecurityRuleConfig -Name $_.Name -Access Allow -Protocol $_.Protocol -Direction Inbound -Priority 100 -SourceAddressPrefix $_.DestinationAddressPrefix -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange $_.DestinationPort
$nsg | Set-AzNetworkSecurityGroup
}Verification:
Check the effective security rules on the VM: Get-AzEffectiveNetworkSecurityGroup -ResourceGroupName $resourceGroupName -NetworkInterfaceName $nicName
Monitor traffic logs in Azure Monitor to confirm that legitimate traffic is not blocked.
Interaction with Related Technologies
Just-In-Time (JIT) VM Access: Both ANH and JIT reduce attack surface, but they work differently. JIT temporarily opens ports on demand, while ANH permanently narrows rules based on learned patterns. They can be used together: ANH creates a baseline, and JIT provides emergency access.
Azure Firewall: ANH operates at the NSG level (layer 4). Azure Firewall provides deeper inspection (layer 7). They are complementary.
Azure Policy: You can enforce that ANH recommendations are applied using Azure Policy custom policies or by integrating with Azure Automation.
Network Watcher: Use Network Watcher's traffic analytics to validate the traffic patterns that ANH uses.
Enable Enhanced Security in Defender for Cloud
Adaptive Network Hardening requires Microsoft Defender for Cloud's enhanced security features. Navigate to Defender for Cloud > Environment settings, select your subscription, and ensure 'Adaptive Network Hardening' is set to 'On'. This enables traffic collection and machine learning analysis for all VMs in the subscription. Without this, ANH recommendations will not appear. The free tier only provides basic security assessments and does not include ANH.
Attach a Network Security Group to the VM
ANH only works on VMs that have an NSG associated with their network interface or subnet. If the VM has no NSG, ANH cannot observe traffic restrictions. Ensure each VM has at least one NSG attached. You can attach an NSG via the Azure portal, PowerShell, or CLI. The NSG can have existing rules; ANH will analyze traffic allowed or denied by those rules.
Allow 30 Days of Traffic Observation
ANH needs a minimum of 30 days of traffic data to build an accurate baseline. During this period, it records all inbound and outbound flows. If a VM is newly created or has been recently reconfigured, ANH may not provide recommendations until sufficient data is collected. The learning period is continuous; ANH updates its model daily. For VMs with low traffic, the recommendation might be 'No recommendations available'.
Review Recommendations in Defender for Cloud
After the observation period, go to Defender for Cloud > Recommendations. Look for 'Adaptive network hardening recommendations should be applied on internet-facing virtual machines'. Click on it to see a list of VMs. For each VM, ANH provides a set of proposed NSG rules. Each rule includes source IP ranges (CIDR), destination port, protocol, and severity. Review these carefully; applying them may block legitimate traffic if the baseline is incomplete.
Apply Recommended Rules to the NSG
To apply the rules, you can use the Azure portal: on the recommendation page, select a VM and click 'Apply'. This automatically updates the associated NSG with the new rules, adding them with a priority lower than the default deny-all rule. Alternatively, use PowerShell or CLI for automation. Always test in a non-production environment first. After application, verify that critical services remain accessible.
Enterprise Scenario 1: Web Server Farm
A company hosts a web application on 20 Azure VMs behind a load balancer. The NSG initially allowed HTTP (80) and HTTPS (443) from 'Any' (0.0.0.0/0). After enabling ANH, it observed that 95% of traffic came from three specific IP ranges: the corporate office (10.0.0.0/16), a CDN (203.0.113.0/24), and a partner API (198.51.100.0/24). ANH recommended rules allowing only these ranges on ports 80 and 443, and blocking all others. The security team applied the recommendations, reducing the attack surface from the entire internet to only known sources. However, they forgot to include the load balancer's health probe IPs (168.63.129.16), causing health probes to fail and the load balancer to mark VMs as unhealthy. They had to add an explicit rule for the Azure Load Balancer probe IP. This highlights the need to review ANH recommendations carefully and include Azure service tags where necessary.
Enterprise Scenario 2: Management Jump Box
A financial services firm uses a jump box VM for administrative access to production servers. The jump box's NSG allowed RDP (3389) from the entire corporate network (10.0.0.0/8). ANH observed that only two specific subnets (10.0.1.0/24 and 10.0.2.0/24) actually initiated RDP connections. It recommended narrowing the source to those two subnets. The team applied the change, but later an administrator from a third subnet (10.0.3.0/24) could not connect. They had to temporarily allow the subnet and wait for ANH to learn the new pattern. This demonstrates that ANH is reactive; it does not automatically accommodate new, legitimate sources until they appear in traffic. A better approach is to use ANH as a baseline and supplement with JIT VM Access for emergency or infrequent administrative access.
Common Misconfiguration Pitfalls
Over-reliance on ANH: ANH does not replace a proper firewall or WAF. It only handles NSG rules at layer 4. For layer 7 inspection, use Azure Firewall or a WAF.
Not excluding Azure services: ANH might recommend blocking Azure management IPs (e.g., 168.63.129.16 for load balancer health probes) if they are not seen in traffic. Always ensure these are allowed explicitly.
Ignoring outbound rules: ANH focuses on inbound traffic. Outbound hardening must be done separately using Azure Firewall or NSG outbound rules.
What SC-200 Tests on Adaptive Network Hardening
The SC-200 exam (Objective 3.1: 'Configure cloud security') tests your understanding of Adaptive Network Hardening as part of Microsoft Defender for Cloud's threat protection capabilities. You should know:
The prerequisite: Requires enhanced security features (paid tier) of Defender for Cloud.
The data collection period: At least 30 days of traffic data.
The recommendation scope: Only internet-facing VMs with NSGs attached.
The difference between ANH and JIT VM Access (ANH is permanent narrowing; JIT is temporary opening).
How to apply recommendations via the Azure portal and PowerShell.
That ANH does not automatically enforce rules; it generates recommendations.
Common Wrong Answers and Why Candidates Choose Them
'ANH automatically applies rules to NSGs.' – Wrong. Candidates confuse ANH with JIT, which does temporarily modify NSGs. ANH only recommends; you must manually apply or use automation.
'ANH requires 7 days of data.' – Wrong. The correct minimum is 30 days. The exam may test this exact number.
'ANH works for all Azure resources.' – Wrong. It only works for VMs with NSGs. Not for App Services, SQL databases, or on-premises machines.
'ANH is available in the free tier of Defender for Cloud.' – Wrong. It requires the enhanced security (paid) tier.
Specific Numbers and Terms to Memorize
30 days: Minimum traffic observation period.
24 hours: Recommendation refresh interval.
'Adaptive network hardening recommendations should be applied on internet-facing virtual machines': Exact name of the recommendation in Defender for Cloud.
Severity levels: High, Medium, Low (based on risk reduction).
Source IP ranges: Presented in CIDR notation.
Edge Cases and Exceptions
New VMs: If a VM has been running for less than 30 days, ANH may not provide recommendations. The exam might present a scenario where a VM was created 2 weeks ago, and ask whether ANH recommendations are available. Answer: No.
VMs with no internet traffic: If a VM has no inbound traffic from the internet, ANH may recommend no changes or display a message 'No recommendations available'. The exam could test that ANH only applies to internet-facing VMs.
Multiple NSGs: A VM can have an NSG on the subnet and another on the NIC. ANH considers the effective rules. The exam might ask which NSG is modified when applying recommendations – it's the one associated with the VM's NIC, unless otherwise specified.
How to Eliminate Wrong Answers
If a question asks about reducing the attack surface for a VM, and options include ANH, JIT, Azure Firewall, and NSG rules, use the mechanism: ANH is for permanent, learning-based narrowing; JIT is for time-bound access; Azure Firewall is for deep inspection; NSG rules are manual. Choose ANH when the scenario mentions 'machine learning', 'traffic patterns', or '30 days'.
Adaptive Network Hardening is a Defender for Cloud feature that uses machine learning to recommend hardened NSG rules for internet-facing VMs.
It requires at least 30 days of traffic data to generate accurate recommendations.
ANH only provides recommendations; you must manually apply them or use automation.
It is available only in the enhanced security tier (paid) of Microsoft Defender for Cloud.
ANH works only for Azure VMs with an NSG attached; not for PaaS services.
Recommendations include source IP ranges (CIDR), destination ports, protocol, and severity.
Always verify that Azure service IPs (e.g., Load Balancer health probes) are not blocked when applying recommendations.
These come up on the exam all the time. Here's how to tell them apart.
Adaptive Network Hardening (ANH)
Permanently narrows NSG rules based on learned traffic patterns.
Requires 30 days of traffic data to generate recommendations.
Recommendations are static until traffic patterns change (refreshed daily).
Best for stable workloads with predictable traffic sources.
Does not automatically open ports; it restricts them.
Just-In-Time (JIT) VM Access
Temporarily opens NSG rules on demand for a specific time window.
No learning period; rules are created instantly based on user request.
Rules are dynamic and expire after a configurable duration (default 3 hours).
Best for administrative access or emergency scenarios.
Automatically opens and closes ports; integrates with Azure AD and approval workflows.
Mistake
Adaptive Network Hardening automatically applies rules to NSGs.
Correct
ANH only generates recommendations. You must manually apply them via the Azure portal, PowerShell, or CLI. Automatic enforcement is not built-in; you can use Azure Policy or Automation to automate application.
Mistake
ANH works for any Azure resource, including App Services and SQL databases.
Correct
ANH is designed exclusively for Azure VMs that have an NSG attached. It does not apply to PaaS services like App Service, SQL Database, or Storage Accounts.
Mistake
ANH requires only a few days of traffic data to produce recommendations.
Correct
ANH requires a minimum of 30 days of historical traffic data to build an accurate baseline. Recommendations may not be available for VMs with less than 30 days of data.
Mistake
ANH is available in the free tier of Microsoft Defender for Cloud.
Correct
ANH is part of the enhanced security features, which require a paid subscription (Defender for Cloud's enhanced security tier). The free tier does not include ANH.
Mistake
ANH can block all inbound traffic if it sees no legitimate traffic.
Correct
ANH learns from observed traffic. If no traffic is observed, it may recommend no changes or display 'No recommendations'. It will not recommend blocking all traffic unless it has evidence that no legitimate traffic exists. However, it could recommend overly restrictive rules if the observation period is incomplete.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
ANH requires a minimum of 30 days of traffic data to build a baseline. After that, recommendations are updated every 24 hours. For new VMs with less than 30 days of data, recommendations may not be available.
No, ANH only generates recommendations. You must apply them manually via the Azure portal, PowerShell, or CLI. You can automate the application using Azure Policy or Azure Automation, but this is not built-in.
No, ANH is an Azure-only feature that works with Azure VMs. It does not extend to on-premises machines, even if they are connected via Azure Arc.
The new source will be blocked until ANH observes the traffic and updates its recommendations (within 24 hours). To avoid disruption, you can temporarily allow the source manually or use JIT VM Access for emergency access.
No, ANH is part of the enhanced security features, which require a paid subscription. The free tier does not include ANH.
Yes, they are complementary. ANH provides a baseline of permanently allowed traffic, while JIT provides temporary access for scenarios that fall outside the baseline. For example, ANH allows management traffic from a specific subnet, while JIT allows an administrator to request temporary access from a different IP.
ANH bases its recommendations on observed traffic. If a legitimate service has not been accessed during the observation period (30 days), ANH may recommend blocking it. Always review recommendations carefully and ensure you have a complete traffic picture before applying.
You've just covered Adaptive Network Hardening — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?