This chapter covers Azure Network Security Groups (NSGs) and Azure Firewall, two core network security services in Microsoft Azure. For the SC-900 exam, you need to understand their purpose, how they differ, and when to use each. Approximately 5-10% of exam questions relate to network security controls, including NSGs and Azure Firewall, often in scenario-based questions asking you to recommend the appropriate solution.
Jump to a section
Imagine a large office building with multiple floors (subnets) and many rooms (VMs). Each floor has a security guard at the elevator lobby. The guard has a clipboard listing rules: 'Floor 2: Only allow people with blue badges (source IP) to enter room 201 on port 3389 (RDP). Block all others.' This guard is a Network Security Group (NSG) — a stateful, distributed firewall that filters traffic at the subnet or NIC level. Now imagine a separate, dedicated security checkpoint at the main entrance of the building. This checkpoint inspects every person entering or leaving, can perform deep packet inspection (like checking bags), and can enforce complex policies like 'Only allow HTTPS traffic from the internet to the web server room, but block all other traffic.' This checkpoint is Azure Firewall — a centralized, stateful firewall with advanced features like threat intelligence, FQDN filtering, and network address translation. The building guards (NSGs) handle basic floor-level filtering quickly without central coordination; the main checkpoint (Azure Firewall) handles sophisticated policies and logs all traffic. In Azure, you can use both together: NSGs for simple east-west traffic between VMs, and Azure Firewall for north-south traffic between virtual networks and the internet.
What Are Network Security Groups (NSGs)?
A Network Security Group (NSG) is a stateful, distributed firewall that filters network traffic to and from Azure resources in a virtual network (VNet). It contains a set of security rules that allow or deny inbound or outbound traffic based on source/destination IP address, port, and protocol. NSGs can be associated with a subnet or a virtual network interface card (NIC). When associated with a subnet, the rules apply to all resources in that subnet. When associated with a NIC, the rules apply only to that specific VM.
NSG Rule Evaluation and Default Rules
Each NSG has a collection of rules. Rules are evaluated in priority order, from lowest number (highest priority) to highest number. Once a rule matches, evaluation stops. If no rule matches, traffic is denied by default. Azure creates default rules that cannot be deleted but can be overridden by custom rules with higher priority (lower number).
Default inbound rules:
AllowVNetInBound: Allows inbound traffic from any virtual network (source: VirtualNetwork, destination: VirtualNetwork) — priority 65000.
AllowAzureLoadBalancerInBound: Allows inbound traffic from Azure Load Balancer health probes — priority 65001.
DenyAllInbound: Denies all other inbound traffic — priority 65500.
Default outbound rules:
AllowVNetOutBound: Allows outbound traffic to any virtual network — priority 65000.
AllowInternetOutBound: Allows outbound traffic to the internet — priority 65001.
DenyAllOutBound: Denies all other outbound traffic — priority 65500.
Note: The default rules allow outbound internet access. This is often a security concern and should be restricted with custom rules.
NSG Rule Properties
Each rule has the following properties:
Name: Unique within the NSG.
Priority: Integer between 100 and 4096 (lower number = higher priority).
Source/Destination: Can be an IP address range (CIDR), a service tag (e.g., Internet, VirtualNetwork, AzureLoadBalancer), or an application security group (ASG).
Protocol: TCP, UDP, ICMP, or Any.
Direction: Inbound or Outbound.
Action: Allow or Deny.
Service Tags
Service tags are predefined IP ranges managed by Azure. They simplify rule creation by allowing you to specify a group of Azure services instead of individual IPs. Examples: VirtualNetwork, Internet, AzureLoadBalancer, Sql, Storage. The IP ranges for service tags are updated automatically as Azure adds new regions or services.
Application Security Groups (ASGs)
ASGs allow you to group VMs logically without relying on IP addresses. For example, you can create an ASG named "WebServers" and assign a VM's NIC to it. Then, in an NSG rule, you can specify the source or destination as the ASG. This makes rule management easier, especially in dynamic environments where IPs change.
Stateful Behavior of NSGs
NSGs are stateful. When you allow inbound traffic, the return traffic is automatically allowed, even if no rule explicitly allows it. For example, if you allow inbound TCP 443 from the internet, the outbound response traffic (TCP 443 from VM to internet) is allowed automatically. However, statefulness applies only to the same flow. If the VM initiates a new outbound connection, it must be allowed by an outbound rule.
What Is Azure Firewall?
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a stateful firewall as a service with built-in high availability and scalability. Unlike NSGs, Azure Firewall provides centralized control, application and network-level filtering, threat intelligence integration, and logging.
Azure Firewall SKUs
Azure Firewall comes in three SKUs:
Standard: Network and application rules, threat intelligence, DNS proxy, and more.
Premium: All Standard features plus TLS inspection, IDPS, URL filtering, and web categories.
Basic: Limited features for small environments (no threat intelligence, no TLS inspection).
Azure Firewall Rules
Azure Firewall uses three types of rules:
NAT rules: Translate destination IP/port (DNAT) to allow inbound internet traffic to internal resources.
Network rules: Filter traffic based on source/destination IP, port, and protocol (similar to NSG rules but centralized).
Application rules: Filter outbound traffic based on fully qualified domain names (FQDNs) like *.microsoft.com. Application rules are for HTTP/S and other TLS-encrypted traffic.
Rules are collected into rule collections, which have a priority (100-65000). Within a rule collection, rules are evaluated in order. If a packet matches a rule, the action (Allow/Deny) is applied; otherwise, it continues to the next rule. If no match, the packet is denied by default.
Azure Firewall vs. NSG: Key Differences
Scope: NSGs are distributed (applied per subnet/NIC); Azure Firewall is centralized (applied per VNet or hub).
Features: NSGs only do basic IP/port filtering; Azure Firewall can filter by FQDN, perform TLS inspection, threat intelligence, and IDPS.
Statefulness: Both are stateful, but Azure Firewall can handle complex flows like FTP active mode.
Logging: NSGs can log to Azure Monitor but with limited details; Azure Firewall provides rich logs for all traffic.
Cost: NSGs are free (no additional cost); Azure Firewall incurs hourly and data processing charges.
Hub-and-Spoke Topology with Azure Firewall
A common enterprise deployment is the hub-and-spoke topology. The hub VNet contains Azure Firewall and shared services. Spoke VNets connect to the hub via VNet peering. All traffic between spokes or to the internet is routed through the hub firewall. User-defined routes (UDRs) force-tunnel traffic to the firewall. NSGs are still used within each spoke for east-west traffic between VMs on the same subnet.
Interaction Between NSGs and Azure Firewall
When both NSGs and Azure Firewall are applied to the same traffic, the order of evaluation is: 1. NSG rules associated with the subnet or NIC. 2. Azure Firewall rules (if traffic is routed through the firewall).
If an NSG denies traffic, the firewall never sees it. If an NSG allows traffic but the firewall denies it, the traffic is blocked. This layered approach provides defense-in-depth.
Example: Configuring an NSG
Using Azure CLI:
# Create an NSG
az network nsg create --resource-group MyRG --name MyNSG --location eastus
# Create a rule to allow SSH from a specific IP
az network nsg rule create --resource-group MyRG --nsg-name MyNSG --name AllowSSH --priority 100 \
--source-address-prefixes 203.0.113.0/24 --destination-port-ranges 22 --protocol TCP --access Allow
# Associate with subnet
az network vnet subnet update --resource-group MyRG --vnet-name MyVNet --name MySubnet --network-security-group MyNSGExample: Deploying Azure Firewall
Using Azure CLI:
# Create a firewall subnet (must be named AzureFirewallSubnet)
az network vnet subnet create --resource-group MyRG --vnet-name MyVNet --name AzureFirewallSubnet --address-prefix 10.0.1.0/26
# Create a public IP for the firewall
az network public-ip create --resource-group MyRG --name MyFwPip --sku Standard --location eastus
# Create the firewall
az network firewall create --resource-group MyRG --name MyFirewall --location eastus --sku AZFW_VNet
# Configure firewall IP configuration
az network firewall ip-config create --resource-group MyRG --firewall-name MyFirewall --name FWConfig --vnet-name MyVNet --public-ip-address MyFwPip
# Add a network rule
az network firewall network-rule create --resource-group MyRG --firewall-name MyFirewall --collection-name MyCollection --priority 100 --action Allow --name AllowDNS --protocol UDP --source-addresses '*' --destination-addresses '8.8.8.8' --destination-ports 53Logging and Monitoring
NSG flow logs can be enabled to capture IP traffic flowing through an NSG. These logs are sent to Azure Storage or Log Analytics. Azure Firewall logs all traffic (by default, only logs denied traffic; you can enable logging for allowed traffic). Logs include source/destination IP, port, protocol, action, and rule matched.
Performance and Scalability
NSG rules are applied at the host level by the Azure hypervisor, so they do not impact network throughput. Azure Firewall scales automatically based on load, but for very high throughput (over 100 Gbps), you may need multiple firewall instances in a firewall policy.
Exam-Relevant Details
NSG rules are stateful.
Default NSG rules cannot be deleted but can be overridden.
NSGs can be associated with subnets or NICs, but not both at the same time? Actually, you can associate an NSG to a subnet and a different NSG to a NIC in that subnet. The NIC NSG is evaluated after the subnet NSG for inbound traffic, and before for outbound? Wait, the order is: For inbound traffic, subnet NSG is evaluated first, then NIC NSG. For outbound traffic, NIC NSG is evaluated first, then subnet NSG. This is a common exam detail.
Azure Firewall is a managed service with a 99.95% SLA.
Azure Firewall requires a dedicated subnet named 'AzureFirewallSubnet' with a /26 or larger prefix.
Azure Firewall supports FQDN filtering for outbound traffic; NSGs do not.
Azure Firewall Premium includes TLS inspection and IDPS.
Common Exam Traps
Trap: "NSGs are stateful, so you don't need to create symmetric rules." True, but only for return traffic of an existing flow. For new connections, you need explicit rules.
Trap: "Azure Firewall is required for all VNet traffic." False. You can use NSGs alone. Azure Firewall is an optional add-on.
Trap: "NSGs can filter based on FQDN." False. NSGs only filter by IP address and port. For FQDN filtering, use Azure Firewall or a third-party NVA.
Trap: "You can associate an NSG to a VM directly." No, you associate it to the VM's NIC or the subnet.
Summary
NSGs and Azure Firewall are complementary. NSGs provide distributed, basic filtering at the subnet/NIC level for free. Azure Firewall provides centralized, advanced filtering with features like FQDN filtering, threat intelligence, and logging. For the SC-900 exam, focus on understanding their differences, default rules, stateful behavior, and when to use each.
Design Virtual Network and Subnets
Begin by planning your Azure virtual network (VNet) and subnets. For example, create a VNet with address space 10.0.0.0/16, and subnets like WebSubnet (10.0.1.0/24), AppSubnet (10.0.2.0/24), and DataSubnet (10.0.3.0/24). If using Azure Firewall, create a dedicated subnet named AzureFirewallSubnet with a /26 or larger prefix (e.g., 10.0.0.0/26). This subnet cannot host other resources. The firewall subnet must be named exactly 'AzureFirewallSubnet' and cannot be changed. At the packet level, the VNet defines the routing domain; subnets segment the network for security and management.
Create Network Security Groups
For each subnet or critical VM, create an NSG with custom rules. For example, create WebNSG for WebSubnet. Add an inbound rule with priority 100 to allow TCP 80 and 443 from the Internet (source: Internet service tag). Add a rule with priority 110 to allow TCP 22 from a management jumpbox IP. Add a rule with priority 120 to deny all other inbound traffic. The rules are evaluated in priority order; once a match occurs, no further rules are evaluated. The default rules (AllowVNetInBound, AllowAzureLoadBalancerInBound, DenyAllInbound) are always present but can be overridden by higher-priority custom rules. NSGs are stateful, so return traffic for allowed inbound flows is automatically permitted.
Associate NSGs to Subnets or NICs
Associate WebNSG to WebSubnet. This applies the rules to all resources in that subnet. For fine-grained control, you can also associate a different NSG to a specific VM's NIC. For inbound traffic, the subnet NSG is evaluated first, then the NIC NSG. For outbound traffic, the NIC NSG is evaluated first, then the subnet NSG. This order is important for exam questions: if you want to allow traffic to a specific VM but deny it to others in the same subnet, you would apply a deny rule at the subnet NSG and an allow rule at the NIC NSG, but the subnet NSG's deny would block it first. So you must design carefully.
Deploy Azure Firewall (Optional)
If centralized control is needed, deploy Azure Firewall in the hub VNet. Create a public IP for the firewall (Standard SKU) and configure the firewall with a management and data plane. The firewall is deployed with a dedicated subnet. After creation, configure NAT rules for inbound traffic (e.g., map public IP port 443 to internal web server), network rules for IP/port filtering, and application rules for FQDN filtering. Rules are organized in rule collections with priorities. For example, create a network rule collection with priority 100 to allow DNS traffic to 8.8.8.8:53. The firewall evaluates rules in order: NAT, Network, Application. If no match, traffic is denied. For traffic to be inspected, it must be routed through the firewall using User-Defined Routes (UDRs).
Configure Routing and Test
Create UDRs to force-tunnel traffic from spoke VNets to the firewall. For example, in a spoke subnet, add a route with destination 0.0.0.0/0 and next hop as the firewall's private IP. This ensures all outbound traffic goes through the firewall. For inbound traffic, you would use DNAT rules on the firewall's public IP. Test connectivity: from a VM in the spoke, attempt to reach the internet. The firewall logs will show the traffic. Verify that NSG rules are not conflicting—e.g., if an NSG denies outbound traffic, the firewall never sees it. Common issues: asymmetric routing (if traffic goes through firewall but return traffic doesn't), incorrect UDRs, or firewall rules not matching expected traffic patterns. Use Azure Monitor or Firewall logs to troubleshoot.
Scenario 1: E-commerce Web Application with Defense-in-Depth
A company hosts an e-commerce web application in Azure. The architecture includes a web tier, application tier, and database tier, each in separate subnets. They use NSGs for subnet-level segmentation: the web subnet allows inbound TCP 80/443 from the Internet, the app subnet only allows TCP 443 from the web subnet, and the database subnet only allows TCP 1433 from the app subnet. Additionally, they deploy Azure Firewall in a hub VNet connected via VNet peering. All outbound traffic from the app subnet is forced through the firewall using UDRs. The firewall inspects outbound connections for malicious domains using threat intelligence feeds. This layered approach provides security: NSGs block unauthorized east-west traffic, while the firewall monitors north-south traffic. In production, they handle millions of requests per day; NSG performance is negligible, but the firewall must be sized appropriately (they use Premium SKU for TLS inspection). A common misconfiguration is forgetting to update UDRs when adding new subnets, causing asymmetric routing. They also enable NSG flow logs to audit traffic patterns.
Scenario 2: Hub-and-Spoke for Enterprise Compliance
A large enterprise with multiple business units (BUs) uses a hub-and-spoke topology. The hub VNet contains shared services (Active Directory, monitoring) and an Azure Firewall. Each BU has its own spoke VNet with multiple subnets. The central security team manages the firewall and creates global rules (e.g., block all traffic to known botnet C2 IPs). Each BU manages its own NSGs for internal segmentation. For example, the finance BU has an NSG that only allows traffic from the finance jumpbox to the finance database subnet. The firewall enforces that no spoke can communicate with another spoke directly; all inter-spoke traffic must go through the firewall, which logs everything for compliance. Performance considerations: with 50 spokes, the firewall must handle high throughput; they use multiple public IPs for SNAT to avoid port exhaustion. A common issue is that some BUs accidentally create NSG rules that conflict with firewall rules, causing connectivity problems. They use Azure Policy to enforce that certain NSG rules cannot be overridden.
Scenario 3: Hybrid Connectivity with Site-to-Site VPN
A company connects on-premises to Azure via S2S VPN. They want to restrict which on-premises subnets can access Azure VMs. They create an NSG on the Azure subnet that allows inbound traffic only from specific on-premises IP ranges. They also deploy Azure Firewall to inspect traffic between on-prem and Azure for advanced threats. The firewall is placed in the hub VNet, and the VPN gateway connects to the hub. UDRs force all on-prem traffic to the firewall. A common pitfall is that the VPN gateway's public IP is included in the AzureLoadBalancer service tag, which is allowed by default. They must create a custom NSG rule to deny traffic from the internet (including the VPN gateway's public IP) if needed. In production, they monitor the firewall logs to detect unusual traffic patterns, such as a sudden spike in failed authentication attempts from on-prem IPs.
What SC-900 Tests on This Topic
The SC-900 exam covers Azure Network Security Groups and Azure Firewall under objective "Describe the capabilities of Microsoft security solutions" and specifically "Describe network security groups" and "Describe Azure Firewall". You should expect scenario-based questions where you must recommend the appropriate network security solution. The exam does not require deep configuration knowledge but expects you to understand the purpose, features, and differences between NSGs and Azure Firewall.
Common Wrong Answers and Why Candidates Choose Them
"NSGs can filter traffic based on domain names (FQDNs)." Candidates confuse NSGs with Azure Firewall or web application firewalls. NSGs only filter by IP address and port. Azure Firewall supports FQDN filtering.
"Azure Firewall is a distributed firewall applied to each subnet." This describes NSGs. Azure Firewall is centralized. Candidates mix up the two.
"NSGs are stateless, so you must create symmetric rules." This is false. NSGs are stateful. The trap is that some other firewalls (like classic on-premises ACLs) are stateless. Candidates may assume NSGs are stateless.
"You must deploy Azure Firewall to protect Azure VMs." NSGs provide adequate protection for many scenarios. Azure Firewall is an optional addition for advanced needs.
Specific Numbers, Values, and Terms That Appear on the Exam
NSG rule priority range: 100 to 4096 (lower number = higher priority).
Default NSG rules: AllowVNetInBound (65000), AllowAzureLoadBalancerInBound (65001), DenyAllInbound (65500).
Service tags: VirtualNetwork, Internet, AzureLoadBalancer.
Azure Firewall subnet must be named 'AzureFirewallSubnet' with a /26 or larger.
Azure Firewall SKUs: Standard, Premium, Basic.
Azure Firewall rule types: NAT, Network, Application.
Edge Cases and Exceptions
NSG association order: For inbound traffic, subnet NSG is evaluated first, then NIC NSG. For outbound, NIC first, then subnet. This is a common exam detail.
Azure Firewall is stateful, but it also tracks FTP sessions for active mode (which NSGs cannot).
Azure Firewall can be deployed in a VNet or in a Virtual WAN (Secured Virtual Hub).
NSG flow logs are not enabled by default; they must be explicitly enabled and incur costs.
How to Eliminate Wrong Answers
If the question mentions filtering by domain name, the answer must involve Azure Firewall (or a third-party NVA), not NSG.
If the question mentions "centralized logging" or "threat intelligence", think Azure Firewall.
If the question is about basic IP/port filtering at the subnet level, think NSG.
If the question mentions "stateful" and "return traffic automatically allowed", both NSGs and Azure Firewall are stateful, but the question context will differentiate.
If the question mentions "free" or "no additional cost", it's likely NSG.
NSGs are stateful, distributed firewalls that filter traffic at the subnet or NIC level based on IP, port, and protocol.
NSG rules have priorities from 100 to 4096; lower numbers are evaluated first.
Default NSG rules allow VNet and Azure Load Balancer inbound traffic and deny all other inbound; outbound allows VNet and internet traffic.
Azure Firewall is a managed, centralized firewall with capabilities like FQDN filtering, threat intelligence, and TLS inspection.
Azure Firewall requires a dedicated subnet named 'AzureFirewallSubnet' with a /26 or larger prefix.
For inbound traffic, subnet NSG is evaluated before NIC NSG; for outbound, NIC NSG is evaluated before subnet NSG.
Azure Firewall rule types: NAT rules (inbound DNAT), Network rules (IP/port), Application rules (FQDN).
NSGs are free; Azure Firewall incurs costs based on deployment hours and data processing.
Both NSGs and Azure Firewall are stateful, but Azure Firewall can handle more complex stateful protocols.
A common hub-and-spoke architecture uses Azure Firewall in the hub and NSGs in spokes for defense-in-depth.
These come up on the exam all the time. Here's how to tell them apart.
Network Security Group (NSG)
Distributed firewall applied per subnet or NIC.
Free of charge (no additional cost).
Filters based on source/destination IP, port, and protocol only.
Stateful but limited to IP/port filtering.
No centralized logging by default; NSG flow logs must be enabled separately.
Azure Firewall
Centralized firewall as a service for the entire VNet.
Costs per hour and per GB of data processed.
Supports FQDN filtering, TLS inspection, threat intelligence, and IDPS (Premium).
Stateful with advanced capabilities like FTP active mode support.
Provides rich logs for all traffic, including denied and allowed connections.
Mistake
NSGs are stateless and require symmetric rules for return traffic.
Correct
NSGs are stateful. When you allow inbound traffic, the return traffic is automatically permitted without needing an explicit outbound rule. This applies only to existing flows, not new connections.
Mistake
Azure Firewall must be deployed in every virtual network.
Correct
Azure Firewall is typically deployed in a central hub VNet and peered with spoke VNets. You do not need one per VNet. NSGs can be used per subnet.
Mistake
NSGs can filter traffic based on application layer information like URLs.
Correct
NSGs operate at layers 3 and 4 (IP, port, protocol). They cannot inspect application payloads. For URL or FQDN filtering, use Azure Firewall or a web application firewall.
Mistake
You can associate an NSG directly to a virtual machine.
Correct
NSGs are associated with subnets or network interfaces (NICs), not directly to VMs. When you associate an NSG to a subnet, it applies to all VMs in that subnet.
Mistake
Azure Firewall can replace NSGs entirely.
Correct
Azure Firewall complements NSGs but does not replace them. NSGs provide distributed, low-latency filtering at the subnet/NIC level. Both are often used together for defense-in-depth.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NSG is a distributed, basic firewall that filters traffic by IP and port at the subnet or NIC level. It is free and stateful. Azure Firewall is a centralized, managed firewall with advanced features like FQDN filtering, threat intelligence, and TLS inspection. It costs money. Use NSGs for simple segmentation and Azure Firewall for centralized control and advanced filtering.
No. NSGs operate at network layer 3 and 4, so they can only filter by source/destination IP address, port, and protocol. To filter by domain name (FQDN), you need Azure Firewall (application rules) or a third-party NVA.
NSGs are stateful. When you allow inbound traffic, the return traffic is automatically allowed. Similarly, when you allow outbound traffic, the return traffic is allowed. However, statefulness applies only to the same flow; new connections require explicit rules.
NSG rules have a priority between 100 and 4096. Lower numbers indicate higher priority and are evaluated first. The default rules have priorities 65000, 65001, and 65500, so custom rules with priorities below 65000 will override them.
No. NSGs are associated with subnets or network interfaces (NICs). You can associate an NSG to a NIC to apply rules to a specific VM, or to a subnet to apply rules to all VMs in that subnet.
Azure Firewall requires a dedicated subnet named 'AzureFirewallSubnet' with a minimum prefix of /26 (64 IP addresses). The subnet can be larger, but it must be named exactly 'AzureFirewallSubnet' and cannot contain any other resources.
Yes, Azure Firewall Premium SKU supports TLS inspection. It can decrypt outbound TLS traffic, inspect the payload, and re-encrypt it. This allows filtering based on URLs and detection of threats within encrypted traffic.
You've just covered Azure Network Security Groups and Firewalls — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?