NSG (Network Security Group) and ASG (Application Security Group) are the security foundation of an Azure VNet. They are free basic firewall features - but a bad design quickly becomes unmaintainable, while a good one lets you cleanly control intra-org traffic across hundreds of VMs. This article organizes NSG and ASG design principles, standard patterns, and operational best practices, complete with implementation templates.
| Item | NSG | ASG |
|---|---|---|
| Category | Stateful firewall | Logical grouping |
| Scope | Subnet or NIC | VM NIC |
| Rule definition | Inbound/Outbound, IP/Port/Protocol | Referenced inside NSG rules |
| Price | Free | Free |
| Role | Control engine | Logical grouping |
The two are designed to be used together. Referencing ASGs from NSG rules is what unlocks role-based security management.
NSG rules are evaluated in ascending order of priority (100-4096), and the first matching rule wins.
| Priority range | Purpose |
|---|---|
| 100-200 | Ultra-high priority - emergency blocks |
| 1000-3000 | Normal Allow rules (spaced by 1000) |
| 4000 | Custom default Deny |
| 65000+ | Default Rules (leave as-is) |
Leaving gaps between priorities means you can add rules later without renumbering anything.
Service Tags are predefined IP address range groups for Azure services provided by Microsoft. Use them in NSG rules in place of raw IPs, and Microsoft auto-updates the ranges - zero operational overhead.
A standard ASG design for an enterprise web application:
| Priority | Name | Source | Destination | Port | Action |
|---|---|---|---|---|---|
| 100 | AllowWebInbound | Internet | WebTier-ASG | TCP 80,443 | Allow |
| 200 | AllowWebToApp | WebTier-ASG | AppTier-ASG | TCP 8080 | Allow |
| 300 | AllowAppToDB | AppTier-ASG | DBTier-ASG | TCP 1433 | Allow |
| 400 | AllowMgmtInbound | VirtualNetwork | MgmtTier-ASG | TCP 22,3389 | Allow |
| 4000 | DenyAllInbound | Any | Any | Any | Deny |
This lets you manage security per role without thinking about VM IPs, and rules do not need to change when Auto Scale dynamically adds or removes VMs.
| Item | Subnet-level NSG | NIC-level NSG |
|---|---|---|
| Scope | All resources in the subnet | An individual VM NIC only |
| Management | Easy, scalable | Per-VM management |
| Use case | Baseline security | VM-specific exceptions |
| Recommendation | Primary | Exceptions only |
When both subnet and NIC NSGs apply, evaluation is AND-based - only traffic permitted by both passes. Best practice: always configure a subnet-level NSG on any new VNet, and reserve NIC-level NSGs for exceptions.
NSG Flow Logs records every flow passing through an NSG to a Storage Account in JSON format.
In production, Flow Logs are mandatory for compliance regimes (PCI DSS, HIPAA) and forensic investigation, with at least a 90-day retention as the standard.
What is the difference between NSG and ASG?
NSG (Network Security Group) is a stateful firewall that controls traffic inside a VNet. It is applied at the subnet or NIC level and defines Inbound/Outbound rules based on IP/Port/Protocol. ASG (Application Security Group) is a complementary feature that logically groups NSG rule targets - you create role-based groups like Web Tier, App Tier, and DB Tier, then reference those groups in NSG rules instead of IP addresses, which dramatically simplifies rule management. The standard pattern is to use both together: NSG is the control engine, ASG is the logical grouping layer. In any enterprise VNet you should always leverage ASGs to keep NSG rules maintainable.
How do NSG rule priorities work?
NSG rules are evaluated in ascending order of priority (100-4096), and the first matching rule wins. 100 is the highest priority, 4096 the lowest. Three Default Rules ship at 65000-65500: AllowVnetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound (Inbound) and AllowVnetOutBound, AllowInternetOutBound, DenyAllOutBound (Outbound). These can be overridden by custom rules. The canonical design hierarchy is: 100-200 for ultra-high priority emergency blocks, 1000-3000 for normal Allow rules, 4000 for a custom default Deny, and leave the Default Rules untouched. Spacing priorities out leaves room to insert new rules later without renumbering existing ones.
What is the difference between Service Tags and FQDN Tags?
Service Tags are predefined IP address range groups for Azure services provided by Microsoft (60+ tags such as AzureCloud, Internet, VirtualNetwork, AzureKeyVault, AzureMonitor, Storage). They are used in NSGs and Azure Firewall Network Rules instead of raw IPs, and Microsoft auto-updates the ranges, so operational overhead is zero. FQDN Tags are FQDN groups used in Azure Firewall Application Rules (such as Microsoft365, WindowsUpdate, AzureBackup), HTTP/HTTPS only, fewer in number than Service Tags but covering the most common scenarios. NSGs only support Service Tags - FQDN Tags are exclusive to Azure Firewall. A common pattern: implement 'allow outbound from this subnet only to the Storage service' with Service Tag = Storage in an NSG.
Should I apply NSGs at the subnet level or the NIC level?
Subnet-level is the recommended approach. A subnet-level NSG applies uniformly to every resource in the subnet, which makes management easy and scalable. A NIC-level NSG is applied directly to an individual VM's NIC, and is meant for exception rules that apply to a specific VM only. Implementation pattern: configure baseline security with a subnet-level NSG, then add NIC-level NSGs only for VM-specific extras (when both subnet and NIC NSGs are applied, evaluation is AND-based - only traffic permitted by both passes). Best practice for any new VNet is to always configure a subnet-level NSG and reserve NIC-level NSGs for exceptions.
How should I design ASGs?
ASGs (Application Security Groups) create role-based logical groups: you associate an ASG with a VM's NIC, then reference the ASG as Source/Destination in NSG rules. A standard design has 4-5 ASGs: WebTier-ASG (web server VMs), AppTier-ASG (application VMs), DBTier-ASG (database server VMs), and MgmtTier-ASG (jumpboxes and management VMs). Example NSG rules: 'Internet -> WebTier-ASG TCP 80/443 Allow', 'WebTier-ASG -> AppTier-ASG TCP 8080 Allow', 'AppTier-ASG -> DBTier-ASG TCP 1433 Allow'. The payoff: you can manage security per role without worrying about VM IPs, and rules do not need to change when Auto Scale dynamically adds or removes VMs.
What are NSG Flow Logs?
NSG Flow Logs is a feature that records every flow passing through an NSG to a Storage Account in JSON format. It captures Allowed/Denied verdicts, source/destination IPs, ports, protocols, timestamps, and byte counts. Traffic Analytics (a paid Network Watcher feature) aggregates and visualizes these flows, with reports for Top Talkers, anomaly detection, and threat detection. Sending flows to Microsoft Sentinel integrates them into SOC analytics, where KQL queries can flag anomalies (for example, unexpected outbound traffic or a spike in Denied flows). Flow Logs v2 is the current version with aggregated reports; v1 is legacy. In production, Flow Logs are mandatory for compliance regimes (PCI DSS, HIPAA) and forensic investigation, with at least a 90-day retention as the standard.
What are the common NSG design pitfalls?
Common pitfalls: 1) Leaving the default Allow Outbound to Internet in place - every VM can reach the internet, creating data-exfiltration risk; add proper Deny rules. 2) Special subnet names (AzureBastionSubnet, GatewaySubnet) impose NSG constraints - Bastion subnets require specific rules, and NSGs are not recommended on Gateway subnets. 3) Ignoring Service Tag update timing - Microsoft refreshes IP ranges monthly, and brand-new IPs may be temporarily blocked. 4) Packing NSG rule priorities too densely makes later additions painful; leave gaps of 1000. 5) Skipping ASGs and hard-coding IPs breaks rules as soon as Auto Scale fires. 6) No Flow Logs means you cannot diagnose incidents. Catching these at design time dramatically reduces operational cost downstream.
Which certifications cover NSGs and ASGs?
AZ-700 (Network Engineer Associate) covers NSGs and ASGs in depth, with frequent questions on rule design, Service Tags, Flow Logs, Traffic Analytics, and ASG patterns. AZ-104 (Administrator) covers the basics in Domain 4; AZ-305 (Solutions Architect Expert) covers security design from an architect's perspective; SC-100 (Cybersecurity Architect Expert) covers zero-trust networking and microsegmentation; SC-500 (formerly AZ-500, GA September 2026) covers Azure security implementation. Understanding NSGs and ASGs is a non-negotiable skill for any engineer working with Azure.
Related Articles and Technical Deep Dives
Azure Network Watcher トラブルシューティング完全ガイド|Connection Troubleshoot・IP Flow Verify・Packet Capture【2026 年版】
Azure Network Watcher の完全ガイド。Connection Troubleshoot・IP Flow Verify・Next Hop・Packet Capture・NSG Flow Logs・Connection Monitor・Traffic Analytics・Effective Routes など全機能解説。標準トラブルシューティングフロー、関連認定試験 (AZ-700 / AZ-305 / SC-200) を日本語で網羅。
Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】
Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】
Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】
Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。
Technical information in this article is based on the Azure NSG Documentation. This article is not an official Microsoft Corporation product, and there is no partnership or sponsorship of any kind. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official sources as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
Visit the Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...