Azure Subscription

An Azure subscription is a logical container that holds resources and services in Azure. It is linked to a billing account and determines how Azure usage is charged. A subscription is necessary to deploy and manage Azure services.

Key points about Azure Subscription:

Each subscription has a unique ID.
It defines the billing scope for the resources used.
Multiple subscriptions can exist under a single Azure account.
Subscription types include Pay-As-You-Go, Enterprise Agreement, and Free Trial.

Azure Resource Groups

An Azure Resource Group (RG) is a container that holds related resources (such as virtual machines, databases, storage accounts, etc.) in Azure. It helps in organizing and managing these resources effectively.

Key points about Azure Resource Groups:

They are a logical grouping of Azure resources.
You can apply role-based access control (RBAC) at the resource group level.
A resource group belongs to one Azure subscription.
Resources in a resource group can be in different regions, but the resource group itself is located in a single region.
You can define policies, costs, and monitoring at the resource group level.

Azure Network Security Group (NSG)

A Network Security Group (NSG) is a security feature in Microsoft Azure that acts like a firewall, controlling inbound and outbound traffic to Azure resources. It contains security rules that allow or deny network traffic based on conditions like source, destination, port, and protocol.

Key Features of NSG

✅ Traffic Filtering – Controls inbound and outbound traffic at the network level.
✅ Security Rules – Defined based on priority, action (Allow/Deny), source, destination, protocol, and port range.
✅ Stateful Rules – If inbound traffic is allowed, the corresponding outbound response is also allowed automatically.
✅ Logging and Monitoring – Can be integrated with Azure Monitor for logging and analysis.

Where Can You Attach an NSG?

An NSG can be attached to:

A Subnet (in a Virtual Network - VNet)
- Controls traffic for all resources inside that subnet.
- Best for broad security policies applied at the subnet level.
A Network Interface (NIC) of a Virtual Machine (VM)
- Controls traffic for that specific VM only.
- Best for fine-grained control per VM.

Can You Attach an NSG to Both a Subnet and a Network Interface?

Yes, you can apply NSGs at both the subnet level and the network interface level. However, this can make it harder to track which rules are being applied, as Azure processes both sets of rules together.

How NSG Rules Work When Attached to Both Subnet and NIC

🔹 Inbound traffic:

The subnet-level NSG is evaluated first.
If the traffic is allowed at the subnet level, the NIC-level NSG is then evaluated.

🔹 Outbound traffic:

The NIC-level NSG is evaluated first.
If allowed, the subnet-level NSG is then evaluated.

⚠️ Key Concern:
Defining conflicting rules in both NSGs can make it difficult to track why a certain traffic flow is blocked or allowed.

Best Practices for Managing NSGs

Use subnet-level NSGs for broad security policies (e.g., block traffic from the internet).
Use NIC-level NSGs only when needed for fine-tuned security.
Avoid duplicate rules across both NSGs to reduce complexity.
Use Azure Network Watcher to diagnose NSG rule conflicts.
Follow the principle of least privilege – only allow necessary traffic.

Azure Application Security Group (ASG)

An Application Security Group (ASG) in Azure is a feature that allows you to group virtual machines (VMs) logically, regardless of their IP addresses or subnets, for simplified network security rule management in Network Security Groups (NSGs).

Key Features of ASG

✅ Logical Grouping: You can group VMs based on their function (e.g., Web Servers, App Servers, DB Servers).
✅ Simplifies NSG Rules: Instead of managing rules per IP or NIC, you reference ASGs in NSG rules.
✅ Dynamic Membership: Adding/removing a VM to an ASG automatically applies the associated NSG rules.
✅ Scalability: Useful in large environments where managing per-VM rules is complex.

Use Case: When to Use ASGs?

Imagine you have a multi-tier application with different VM roles:

Web VMs (frontend)
App VMs (middleware)
Database VMs (backend)

🔹 Without ASGs:

You need to create NSG rules for each VM’s IP/NIC, making security management complex.

🔹 With ASGs:

You create Web-ASG, App-ASG, DB-ASG.
Define NSG rules using ASG names instead of specific IPs/NICs.
If a new VM is added to Web-ASG, it automatically gets the same security rules.

NOTE: Network/Application Security Groups (NSGs) are region-specific, meaning they can only be attached to instances or subnets within the same region, even if they belong to different resource groups.

Azure Service Tags

What are Azure Service Tags?

Azure Service Tags are predefined identifiers that represent a group of IP addresses related to a specific Azure service. Instead of manually managing IP address ranges for different Azure services (like Azure Storage, SQL, or Key Vault), you can use a service tag in Network Security Groups (NSGs), Azure Firewall, and User Defined Routes (UDRs) to simplify network security management.

Key Benefits of Service Tags

✅ Simplifies NSG Rules – No need to manually update IP ranges.
✅ Auto-Updated by Azure – Azure automatically manages and updates service tags.
✅ Improves Security – Allows only necessary service traffic without exposing public IPs.
✅ Supports Multiple Services – Can be used in NSG, Azure Firewall, and Route Tables.

Common Azure Service Tags & Examples

Service Tag	Description	Example Use Case
VirtualNetwork	Represents all subnets within a VNet	Allow all traffic within a VNet
Internet	Represents all public IPs	Block all inbound traffic from the internet
AzureLoadBalancer	Represents Azure's Load Balancer IPs	Allow health probes from Azure Load Balancer
Storage	Represents Azure Storage services	Allow only VMs to access Azure Storage
AzureSQL	Represents Azure SQL Database	Restrict database access to specific VNets
KeyVault	Represents Azure Key Vault	Allow access to Key Vault only from trusted resources
AppService	Represents Azure App Services	Allow App Services to access backend resources
AzureMonitor	Represents Azure Monitor & Log Analytics	Allow VM traffic for monitoring & logging

Use Cases of Service Tags

🔹 1. Restricting Storage Account Access

Instead of manually adding storage IP ranges, use:
✅ NSG Rule: Allow traffic from Storage service tag.

🔹 2. Secure Database Access

Instead of whitelisting public IPs, use:
✅ NSG Rule: Allow traffic from AzureSQL only.

🔹 3. Allow Azure Load Balancer Probes

To enable proper health checks:
✅ NSG Rule: Allow inbound traffic from AzureLoadBalancer.

🔹 4. Restrict Outbound Traffic to the Internet

Block VM outbound traffic except for Azure services:
✅ NSG Rule: Deny Internet but allow Storage, KeyVault, and AzureMonitor.

🚀 Key Takeaways

Service tags reduce manual IP management for Azure services.
They are auto-updated by Azure, ensuring security compliance.
Can be used in NSGs, Azure Firewall, and Routing Rules.

Azure Cloud Fundamentals

Table of contents