Azure Network Security Groups & Application Security Groups

Introduction

This lab demonstrates how to secure Azure virtual machines using Network Security Groups (NSGs) and Application Security Groups (ASGs). By logically grouping VMs and applying targeted inbound rules, I isolated traffic for Web Servers and Management Servers, enhancing role-based access control and overall cloud security posture.

Objectives

  • Create resource group and virtual network
  • Define Application Security Groups (ASGs)
  • Deploy virtual machines for web and management roles
  • Associate NICs with ASGs
  • Configure NSGs with role-based inbound rules
  • Validate traffic filtering and rule enforcement

Prerequisites

  • Azure subscription with contributor or admin access
  • Skillable lab environment or Azure sandbox
  • Familiarity with Azure Portal and VM deployment

Walkthrough

Task 1: Create Resource Group & Virtual Network

  • Created resource group RG-SecurityLab in East Africa
  • Deployed virtual network VNet-SecurityLab with subnets for Web and Management servers
    πŸ“Έ Screenshot: step01-resource-group.png – Resource group creation
    Resource Group

πŸ“Έ Screenshot: step01-virtual-network.png – Virtual network setup
Virtual Network

Task 2: Create Application Security Groups

  • Created ASG ASG-Web for web servers
  • Created ASG ASG-Management for management servers
    πŸ“Έ Screenshot: step02-asg-web.png – ASG for web servers
    ASG - Web

πŸ“Έ Screenshot: step02-asg-management.png – ASG for management servers
ASG - Management

Task 3: Deploy Virtual Machines

  • Deployed Web Server VM with IIS installed
  • Deployed Management Server VM configured for RDP access
    πŸ“Έ Screenshot: step03-web-vm.png – Web VM deployment
    Web VM

πŸ“Έ Screenshot: step03-management-vm.png – Management VM deployment
Management VM

Task 4: Associate NICs with ASGs

  • Associated Web VM NIC with ASG-Web
  • Associated Management VM NIC with ASG-Management
    πŸ“Έ Screenshot: step04-nic-asg.png – NIC association with ASGs
    NIC Association

Task 5: Configure Network Security Groups

  • Created NSG for Web servers: allowed HTTP (port 80), blocked RDP
  • Created NSG for Management servers: allowed RDP (port 3389) from trusted IPs, blocked HTTP
    πŸ“Έ Screenshot: step05-nsg-web.png – NSG for web access
    NSG - Web

πŸ“Έ Screenshot: step05-nsg-management.png – NSG for management access
NSG - Management

Task 6: Validate Traffic Filtering

  • Verified Web Server accessible via browser on port 80
  • Verified Management Server accessible via RDP from admin workstation
    πŸ“Έ Screenshot: step06-iis-access.png – IIS access test
    IIS Access

πŸ“Έ Screenshot: step06-rdp-access.png – RDP access test
RDP Access

Task 7: Final Validation

  • Used Azure Network Watcher to confirm traffic flow matches NSG rules
    πŸ“Έ Screenshot: step07-network-watcher.png – Network Watcher validation
    Network Watcher

Key Learnings

  • ASGs simplify rule management by grouping VMs logically
  • NSGs enforce traffic filtering based on ASG membership
  • Role-based access improves security posture in cloud environments