π Azure VM Security Lab: Using NSGs and Azure Firewall (Beginner-Friendly Guide)
Ronney OtienoTable of contents
- Goal of this Lab
- What You'll Learn
- Before We Start: Key Concepts Explained Simply
- Lab Architecture
- π οΈ Lab Setup: Step-by-Step Guide
- π 1. Create a Resource Group and Virtual Network
- π 2. Create a Public IP for the Firewall
- π₯ 3. Deploy Azure Firewall
- π» 4. Deploy a Linux Test VM (No public IP)
- π‘οΈ 5. Create NSG for VM Subnet
- π³οΈ 6. Route VM Traffic Through Firewall
- π 7. Add DNAT Rule (SSH into VM via Firewall)
- π 8. Add Network Rule for Internet Access
- π’ Test It Out!
- π§ Troubleshooting Tips
- π Bonus Tips
- π You Did It!
Goal of this Lab
Learn how to secure a Virtual Machine (VM) in Azure using Network Security Groups (NSGs) and Azure Firewall β two key tools that control and filter network traffic in and out of your Azure resources.
This lab is part of https://securecloudx.pages.dev/ challenges.
What You'll Learn
What NSGs and Azure Firewall are, and how they work
How to build a secure virtual network from scratch
How to create and apply firewall and routing rules
How to test inbound (SSH/RDP) and outbound (internet) access securely
Before We Start: Key Concepts Explained Simply
What is a Network Security Group (NSG)?
Think of it like a mini-firewall for your subnet or VM. It controls what kind of traffic is allowed in or out based on rules you define (like port, IP, or protocol).
What is Azure Firewall?
A managed, cloud-based network security service that lets you centrally control and monitor traffic across multiple networks in Azure. It provides:
DNAT (port forwarding) rules
Outbound filtering
Centralized logging
Application rules (e.g., allow only specific websites)
Lab Architecture
π οΈ Lab Setup: Step-by-Step Guide
π 1. Create a Resource Group and Virtual Network
Go to the Azure Portal
Search for Resource groups β + Create
Name:
Lab-RGRegion: Your choice (e.g., East US)
Go to Virtual Networks β + Create
Name:
MyVNetAddress space:
10.0.0.0/16Subnets:
AzureFirewallSubnetβ10.0.1.0/26AzureFirewallManagementSubnetβ10.0.2.0/26VMSubnetβ10.0.3.0/24
π 2. Create a Public IP for the Firewall
Go to Public IP addresses β + Create
Name:
MyFirewallPIPSKU: Standard
IP Type: Static
Tier: Regional
π₯ 3. Deploy Azure Firewall
Go to Azure Firewall β + Create
Settings:
Name:
MyFirewallRegion: same as the VNet
Policy: Create new or use default
Public IP:
MyFirewallPIPVirtual Network:
MyVNetSubnets:
AzureFirewallSubnet,AzureFirewallManagementSubnet
π» 4. Deploy a Linux Test VM (No public IP)
Go to Virtual Machines β + Create
Name:
TestVMImage: Ubuntu LTS
Size: B1s or B2s
Authentication: Password or SSH key
Virtual network:
MyVNetSubnet:
VMSubnetPublic IP: None
π‘οΈ 5. Create NSG for VM Subnet
Go to Network Security Groups β + Create
Name:
VMSubnetNSGAttach to:
VMSubnet
Add Inbound rule:
Allow SSH (TCP 22) from your IP
Priority: 100
Add Deny all inbound:
Priority: 400
Source: Any, Port: Any
π³οΈ 6. Route VM Traffic Through Firewall
Go to Route Tables β + Create
Name:
VMRouteTableAssociate to:
VMSubnet
Add route:
Name:
DefaultRouteAddress prefix:
0.0.0.0/0Next hop type: Virtual appliance
Next hop IP: Firewall's private IP
π 7. Add DNAT Rule (SSH into VM via Firewall)
Go to the Firewall Policy > NAT Rules > + Add
Name:
AllowSSHRule Type: DNAT
Source:
*Destination IP: Firewallβs public IP
Destination Port:
22Translated IP: VM Private IP
Translated Port:
22Protocol: TCP
π 8. Add Network Rule for Internet Access
Go to Firewall Policy > Network Rules > + Add
Name:
AllowOutboundWebSource:
10.0.3.0/24Destination:
*Protocol: TCP
Destination Ports:
80,443
π’ Test It Out!
SSH Into the VM
ssh azureuser@<Firewall_Public_IP>
Test Internet from VM
ping 8.8.8.8 -c 4
curl http://bing.com
π§ Troubleshooting Tips
π« Canβt SSH into the VM
Check DNAT rule: maps Firewall Public IP to VM Private IP, port 22
Confirm NSG allows SSH from your IP
Ensure the VM has no public IP
Use correct SSH key or username
| Symptom | Fix |
Connection timed out | - DNAT rule might be missing or misconfigured, Firewall public IP is wrong, NSG is blocking inbound SSH. |
Permission denied | - Wrong username or password/key |
Refused | - SSH service might not be running on VM, VM is unreachable due to route issues |
π VM Canβt Access Internet
Ensure route table has 0.0.0.0/0 to Firewall Private IP
Firewall allows outbound 80/443
DNS resolution working? Try:
nslookup bing.com
ping 8.8.8.8
| Symptom | Fix |
curl or ping fail | - Route table not applied or incorrect, No firewall rule to allow outbound HTTP/HTTPS, DNS resolution issues. |
π₯ Firewall Fails to Deploy ("LinkedAccessCheckFailed")
You donβt have permission to join the subnet
Ask admin for Network Contributor role on the subnet or resource group
Assign network contributor role at the resource group level - possible solution
π« Firewall Has No Public IP
Create one before Firewall deployment (Standard SKU)
Redeploy or assign it manually
π Debugging Tools
VM NIC > Effective Routes: check for route to firewall
VM NIC > Effective Security Rules: confirm NSG rules
Azure Network Watcher: use Connection Troubleshoot
π Bonus Tips
Use Azure Bastion if SSH fails
Tag your resources
Monitor with Log Analytics
Clean up using:
az group delete --name Lab-RG --yes
π You Did It!
You built a secure Azure network with:
NSGs for granular subnet protection
Azure Firewall for centralized control
Routing and NAT for internet access and SSH
Subscribe to my newsletter
Read articles from Ronney Otieno directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ronney Otieno
Ronney Otieno
"Cloud Security Engineer | Exploring Cloud Security, DevOps, and Software Engineering | Sharing my learning journey to inspire and grow π | Open to internships and collaborations in Cloud Security."