AZ-104 Objective 4.2: Configure Secure Access to Virtual Networks

50 min readMicrosoft Azure Administrator

AZ-104 Exam Focus: This objective covers network security in Azure, including Network Security Groups (NSGs), Application Security Groups (ASGs), Azure Bastion, service endpoints, and private endpoints. Understanding these security mechanisms is crucial for Azure administrators to implement defense-in-depth strategies and secure network access. Master these concepts for both exam success and real-world Azure network security management.

Understanding Network Security in Azure

Network security in Azure follows a defense-in-depth approach, providing multiple layers of protection for your virtual networks and resources. This includes traffic filtering, secure remote access, and controlled connectivity to Azure services. This builds upon the foundation of Azure Virtual Networks and works in conjunction with Azure RBAC for comprehensive security.

Network Security Components

  • Network Security Groups (NSGs): Firewall rules for traffic filtering
  • Application Security Groups (ASGs): Logical grouping of network interfaces
  • Azure Bastion: Secure RDP/SSH access without public IPs
  • Service Endpoints: Secure connectivity to Azure PaaS services
  • Private Endpoints: Private IP connectivity to Azure services
  • Azure Firewall: Cloud-native firewall service

1. Create and Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)

Network Security Groups act as virtual firewalls, controlling inbound and outbound traffic to Azure resources. Application Security Groups provide logical grouping of network interfaces for simplified NSG rule management.

NSG Key Concepts

NSG Features:

  • Stateful Firewall: Tracks connection state for return traffic
  • Rule Priority: Rules processed in priority order (100-4096)
  • Default Rules: Built-in allow/deny rules for basic connectivity
  • Service Tags: Predefined groups of IP addresses for Azure services
  • Application Security Groups: Logical grouping of network interfaces
  • Flow Logs: Logging of network traffic for monitoring

Creating NSGs

# Create NSG
az network nsg create \
  --name myNSG \
  --resource-group myResourceGroup \
  --location eastus

# Create NSG with tags
az network nsg create \
  --name myNSG \
  --resource-group myResourceGroup \
  --location eastus \
  --tags Environment=Production Purpose=WebTier

Creating NSG Rules

# Create inbound rule
az network nsg rule create \
  --name AllowHTTP \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --priority 1000 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefix Internet \
  --source-port-range * \
  --destination-address-prefix * \
  --destination-port-range 80

# Create outbound rule
az network nsg rule create \
  --name AllowHTTPS \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --priority 1001 \
  --direction Outbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefix * \
  --source-port-range * \
  --destination-address-prefix Internet \
  --destination-port-range 443

# Create rule with service tag
az network nsg rule create \
  --name AllowAzureStorage \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --priority 1002 \
  --direction Outbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefix * \
  --source-port-range * \
  --destination-address-prefix Storage \
  --destination-port-range 443

Application Security Groups (ASGs)

# Create Application Security Group
az network asg create \
  --name WebServers \
  --resource-group myResourceGroup \
  --location eastus

# Create ASG for database servers
az network asg create \
  --name DatabaseServers \
  --resource-group myResourceGroup \
  --location eastus

# Associate network interface with ASG
az network nic ip-config update \
  --name ipconfig1 \
  --resource-group myResourceGroup \
  --nic-name myNIC \
  --application-security-groups WebServers

NSG Rule Configuration

ParameterOptionsDescription
DirectionInbound, OutboundTraffic direction
AccessAllow, DenyAction to take
ProtocolTCP, UDP, ICMP, AnyNetwork protocol
Source/DestinationIP, CIDR, ASG, Service TagAddress specification
Priority100-4096Rule processing order

2. Evaluate Effective Security Rules in NSGs

Understanding how NSG rules are evaluated and applied is crucial for troubleshooting connectivity issues and ensuring proper security configuration.

NSG Rule Evaluation Process

Rule Processing Order:

  1. Rules are processed in priority order (lowest number first)
  2. First matching rule determines the action (Allow/Deny)
  3. If no rules match, default security rules apply
  4. Default rules cannot be deleted but can be overridden
  5. NSGs are stateful - return traffic is automatically allowed

Default Security Rules

Built-in Rules:

  • AllowVNetInBound (65000): Allow all traffic within VNet
  • AllowAzureLoadBalancerInBound (65001): Allow Azure Load Balancer
  • DenyAllInBound (65500): Deny all other inbound traffic
  • AllowVNetOutBound (65000): Allow all outbound traffic within VNet
  • AllowInternetOutBound (65001): Allow outbound to internet
  • DenyAllOutBound (65500): Deny all other outbound traffic

NSG Association Levels

Association Hierarchy:

  • Subnet Level: Applied to all resources in the subnet
  • Network Interface Level: Applied to specific NICs
  • Combined Rules: Both subnet and NIC rules apply
  • Rule Precedence: Most restrictive rule wins

Evaluating Effective Rules

# List NSG rules
az network nsg rule list \
  --resource-group myResourceGroup \
  --nsg-name myNSG \
  --output table

# Get effective security rules for a VM
az network nic show-effective-route-table \
  --resource-group myResourceGroup \
  --name myNIC

# Test IP flow (requires Network Watcher)
az network watcher test-ip-flow \
  --resource-group myResourceGroup \
  --vm myVM \
  --direction Inbound \
  --protocol TCP \
  --local 10.0.1.4:80 \
  --remote 0.0.0.0:0

3. Implement Azure Bastion

Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly through the Azure portal, without exposing public IP addresses or requiring VPN connections.

Azure Bastion Features

Key Capabilities:

  • Browser-based Access: RDP/SSH directly from Azure portal
  • No Public IP Required: VMs don't need public IP addresses
  • No VPN Required: No need for VPN or jump boxes
  • SSL/TLS Encryption: All traffic encrypted in transit
  • Hardening: Hardened by default with security best practices
  • Integration: Seamless integration with Azure services

Creating Azure Bastion

# Create Bastion subnet (required)
az network vnet subnet create \
  --name AzureBastionSubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --address-prefix 10.0.1.0/27

# Create public IP for Bastion
az network public-ip create \
  --name myBastionPublicIP \
  --resource-group myResourceGroup \
  --location eastus \
  --sku Standard \
  --allocation-method Static

# Create Azure Bastion
az network bastion create \
  --name myBastion \
  --resource-group myResourceGroup \
  --location eastus \
  --vnet-name myVNet \
  --public-ip-address myBastionPublicIP \
  --sku Standard

Bastion Configuration Requirements

Prerequisites:

  • Dedicated subnet named "AzureBastionSubnet"
  • Subnet must be /27 or larger
  • Standard SKU public IP address
  • VNet must be in the same region as Bastion
  • NSG rules allowing HTTPS (443) and GatewayManager service tag

Bastion NSG Configuration

# Create NSG for Bastion subnet
az network nsg create \
  --name myBastionNSG \
  --resource-group myResourceGroup \
  --location eastus

# Allow HTTPS inbound
az network nsg rule create \
  --name AllowHttpsInbound \
  --resource-group myResourceGroup \
  --nsg-name myBastionNSG \
  --priority 1000 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefix Internet \
  --source-port-range * \
  --destination-address-prefix * \
  --destination-port-range 443

# Allow GatewayManager inbound
az network nsg rule create \
  --name AllowGatewayManagerInbound \
  --resource-group myResourceGroup \
  --nsg-name myBastionNSG \
  --priority 1001 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefix GatewayManager \
  --source-port-range * \
  --destination-address-prefix * \
  --destination-port-range 443

# Associate NSG with Bastion subnet
az network vnet subnet update \
  --name AzureBastionSubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --network-security-group myBastionNSG

4. Configure Service Endpoints for Azure Platform as a Service (PaaS)

Service endpoints provide secure and direct connectivity to Azure PaaS services over the Azure backbone network, bypassing the internet and improving security and performance.

Service Endpoint Benefits

Key Advantages:

  • Improved Security: Traffic stays on Azure backbone
  • Better Performance: Lower latency and higher bandwidth
  • IP Address Filtering: Restrict access to specific subnets
  • Cost Optimization: No data transfer charges for service traffic
  • Simplified Networking: No need for public IPs or NAT gateways

Supported Azure Services

Service CategoryServicesNotes
StorageAzure Storage, Azure Data Lake StorageMost commonly used
DatabaseAzure SQL Database, Azure Database for MySQL/PostgreSQLRequires firewall rules
AnalyticsAzure Synapse Analytics, Azure Data FactoryEnterprise analytics
AI/MLAzure Cognitive Services, Azure Machine LearningAI workloads

Configuring Service Endpoints

# Enable service endpoint for storage
az network vnet subnet update \
  --name mySubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --service-endpoints Microsoft.Storage

# Enable multiple service endpoints
az network vnet subnet update \
  --name mySubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --service-endpoints Microsoft.Storage Microsoft.Sql

# Configure storage account to allow service endpoint
az storage account network-rule add \
  --resource-group myResourceGroup \
  --account-name mystorageaccount \
  --vnet-name myVNet \
  --subnet mySubnet

# List service endpoints
az network vnet subnet show \
  --name mySubnet \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --query "serviceEndpoints"

5. Configure Private Endpoints for Azure PaaS

Private endpoints provide private IP connectivity to Azure PaaS services, enabling you to access services from your VNet using private IP addresses instead of public endpoints.

Private Endpoint Benefits

Key Advantages:

  • Private Connectivity: Access services via private IP addresses
  • Enhanced Security: Traffic never leaves Azure backbone
  • Network Isolation: Services appear as part of your VNet
  • DNS Integration: Automatic DNS resolution to private IPs
  • Compliance: Meet regulatory requirements for data residency

Private Endpoint vs Service Endpoint

FeatureService EndpointPrivate Endpoint
ConnectivityPublic IP with routingPrivate IP address
Access ControlSubnet-basedResource-specific
DNS ResolutionPublic DNSPrivate DNS zone
CostNo additional costPrivate endpoint charges

Creating Private Endpoints

# Create private DNS zone
az network private-dns zone create \
  --name privatelink.blob.core.windows.net \
  --resource-group myResourceGroup

# Link private DNS zone to VNet
az network private-dns link vnet create \
  --name myDNSLink \
  --resource-group myResourceGroup \
  --zone-name privatelink.blob.core.windows.net \
  --virtual-network myVNet \
  --registration-enabled false

# Create private endpoint
az network private-endpoint create \
  --name myPrivateEndpoint \
  --resource-group myResourceGroup \
  --location eastus \
  --vnet-name myVNet \
  --subnet mySubnet \
  --private-connection-resource-id /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
  --group-id blob \
  --connection-name myConnection

# Create private DNS record
az network private-dns record-set a create \
  --name mystorageaccount \
  --zone-name privatelink.blob.core.windows.net \
  --resource-group myResourceGroup

az network private-dns record-set a add-record \
  --name mystorageaccount \
  --zone-name privatelink.blob.core.windows.net \
  --resource-group myResourceGroup \
  --ipv4-address 10.0.1.5

Private Endpoint Configuration

Configuration Requirements:

  • Dedicated subnet for private endpoints
  • Private DNS zone for service resolution
  • Network policies disabled on the subnet
  • Sufficient IP addresses in subnet
  • Proper NSG rules for private endpoint traffic

Network Security Best Practices

Security Guidelines:

  • Follow the principle of least privilege for NSG rules
  • Use service tags to simplify NSG rule management
  • Implement Application Security Groups for logical grouping
  • Enable NSG flow logs for monitoring and troubleshooting
  • Use Azure Bastion for secure remote access
  • Implement service endpoints for PaaS connectivity
  • Use private endpoints for sensitive workloads
  • Regularly review and audit security configurations

Monitoring and Troubleshooting

# Enable NSG flow logs
az network watcher flow-log create \
  --resource-group myResourceGroup \
  --nsg myNSG \
  --storage-account mystorageaccount \
  --log-version 2 \
  --retention 30

# Test connectivity through Bastion
az network watcher test-connectivity \
  --resource-group myResourceGroup \
  --source-resource myVM \
  --dest-address 8.8.8.8 \
  --dest-port 80

# Check private endpoint connectivity
nslookup mystorageaccount.blob.core.windows.net

# Monitor service endpoint traffic
az monitor metrics list \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
  --metric "Transactions"

Exam Tips and Key Points

Critical Exam Knowledge:

  • NSGs: Understand rule priority, default rules, and association levels
  • ASGs: Know how to create and use for logical grouping
  • Azure Bastion: Understand requirements, configuration, and benefits
  • Service Endpoints: Know supported services and configuration
  • Private Endpoints: Understand DNS requirements and benefits
  • Security Rules: Know how to evaluate effective rules
  • Monitoring: Understand flow logs and connectivity testing

Common Scenarios and Solutions

Real-World Scenarios:

  1. Web Application Security: Use NSGs with ASGs for tier-based security
  2. Secure Remote Access: Implement Azure Bastion for VM management
  3. Database Connectivity: Use private endpoints for secure database access
  4. Storage Access: Configure service endpoints for blob storage
  5. Multi-tier Applications: Use NSGs to control traffic between tiers
  6. Compliance Requirements: Use private endpoints for data residency

Summary

Secure access to virtual networks is fundamental to Azure security architecture. This objective covers the essential security mechanisms for protecting network resources:

  • Network Security Groups and Application Security Groups for traffic filtering
  • Effective security rule evaluation and troubleshooting
  • Azure Bastion for secure remote access without public IPs
  • Service endpoints for secure PaaS connectivity
  • Private endpoints for private IP connectivity to Azure services
  • Security best practices and monitoring strategies

Understanding these security concepts is essential for Azure administrators to implement defense-in-depth strategies and maintain secure network architectures in Azure environments.

Next Steps: Practice creating NSGs, configuring Azure Bastion, and setting up service/private endpoints in the Azure portal. Experiment with different security rules and test connectivity to understand the complete network security ecosystem in Azure.

Related Topics

Continue your Azure administration learning journey with these related topics: