Azure

Azure NSG / ASG Design Guide: Network Security Group Rules & Application Security Group Patterns

2026-05-24
NicheeLab Editorial Team

NSG (Network Security Group) and ASG (Application Security Group) are the security foundation of an Azure VNet. They are free basic firewall features - but a bad design quickly becomes unmaintainable, while a good one lets you cleanly control intra-org traffic across hundreds of VMs. This article organizes NSG and ASG design principles, standard patterns, and operational best practices, complete with implementation templates.

NSG and ASG Fundamentals

ItemNSGASG
CategoryStateful firewallLogical grouping
ScopeSubnet or NICVM NIC
Rule definitionInbound/Outbound, IP/Port/ProtocolReferenced inside NSG rules
PriceFreeFree
RoleControl engineLogical grouping

The two are designed to be used together. Referencing ASGs from NSG rules is what unlocks role-based security management.

NSG Rule Priorities

NSG rules are evaluated in ascending order of priority (100-4096), and the first matching rule wins.

Default Rules

  • Inbound: AllowVnetInBound (65000), AllowAzureLoadBalancerInBound (65001), DenyAllInBound (65500)
  • Outbound: AllowVnetOutBound (65000), AllowInternetOutBound (65001), DenyAllOutBound (65500)

Recommended Priority Hierarchy

Priority rangePurpose
100-200Ultra-high priority - emergency blocks
1000-3000Normal Allow rules (spaced by 1000)
4000Custom default Deny
65000+Default Rules (leave as-is)

Leaving gaps between priorities means you can add rules later without renumbering anything.

Leveraging Service Tags

Service Tags are predefined IP address range groups for Azure services provided by Microsoft. Use them in NSG rules in place of raw IPs, and Microsoft auto-updates the ranges - zero operational overhead.

Frequently Used Service Tags

  • VirtualNetwork: All IPs inside the VNet
  • Internet: All IPs outside the VNet
  • AzureLoadBalancer: Azure Load Balancer health probes
  • AzureCloud: All Azure service IPs
  • Storage: Azure Storage IP ranges
  • AzureKeyVault: Key Vault IP ranges
  • AzureMonitor: Azure Monitor IPs
  • AzureActiveDirectory: Entra ID IP ranges
  • AzureContainerRegistry: ACR IPs

3-Tier ASG Design Pattern

A standard ASG design for an enterprise web application:

  • WebTier-ASG: Web server VMs (Frontend)
  • AppTier-ASG: Application VMs (Backend)
  • DBTier-ASG: Database server VMs
  • MgmtTier-ASG: Jumpboxes and management VMs

Example NSG Rules

PriorityNameSourceDestinationPortAction
100AllowWebInboundInternetWebTier-ASGTCP 80,443Allow
200AllowWebToAppWebTier-ASGAppTier-ASGTCP 8080Allow
300AllowAppToDBAppTier-ASGDBTier-ASGTCP 1433Allow
400AllowMgmtInboundVirtualNetworkMgmtTier-ASGTCP 22,3389Allow
4000DenyAllInboundAnyAnyAnyDeny

This lets you manage security per role without thinking about VM IPs, and rules do not need to change when Auto Scale dynamically adds or removes VMs.

Subnet Level vs NIC Level

ItemSubnet-level NSGNIC-level NSG
ScopeAll resources in the subnetAn individual VM NIC only
ManagementEasy, scalablePer-VM management
Use caseBaseline securityVM-specific exceptions
RecommendationPrimaryExceptions only

When both subnet and NIC NSGs apply, evaluation is AND-based - only traffic permitted by both passes. Best practice: always configure a subnet-level NSG on any new VNet, and reserve NIC-level NSGs for exceptions.

NSG Flow Logs and Traffic Analytics

NSG Flow Logs records every flow passing through an NSG to a Storage Account in JSON format.

  • Captures Allowed/Denied verdicts, source/destination IPs, ports, protocols, timestamps, and byte counts
  • Traffic Analytics (a paid Network Watcher feature): aggregation, visualization, and reports for Top Talkers, anomalous flows, and threat detection
  • Send flows to Microsoft Sentinel to integrate with SOC analytics, then use KQL queries to detect anomalous traffic
  • Flow Logs v2 (current) provides aggregated reports; v1 is legacy

In production, Flow Logs are mandatory for compliance regimes (PCI DSS, HIPAA) and forensic investigation, with at least a 90-day retention as the standard.

Design Pitfalls

  1. Leaving Default Outbound Allow Internet untouched: every VM can reach the internet, creating data-exfiltration risk. Add proper Deny rules.
  2. Constraints from special subnet names (AzureBastionSubnet / GatewaySubnet): Bastion subnets require specific rules, and NSGs are not recommended on Gateway subnets.
  3. Ignoring Service Tag update timing: Microsoft updates IP ranges monthly, and brand-new IPs may be temporarily blocked.
  4. Packing NSG rule priorities too densely: later additions become painful. Leave gaps of 1000.
  5. Skipping ASGs and hard-coding IPs: rules break the moment Auto Scale fires.
  6. No Flow Logs configured: you cannot diagnose root cause during an incident.

Operational Best Practices

  1. Always apply a subnet-level NSG (baseline security)
  2. Design 4-5 role-based ASGs and write NSG rules against ASGs instead of IPs
  3. Lean on Service Tags so Microsoft's IP updates flow through automatically
  4. Space priorities out like 100/200/300/1000/2000/3000/4000
  5. Add a custom DenyAllInbound at priority 4000 for an explicit blanket Deny
  6. Enable NSG Flow Logs on every NSG with 90+ days of retention
  7. Share Traffic Analytics monthly reports with the SOC
  8. Ship flows to Microsoft Sentinel for KQL-based anomaly detection
  9. Standardize NSG rule naming (e.g. Allow_Web_To_App_8080)
  10. Audit and prune unused rules on a regular cadence (quarterly)

Related Certifications

Frequently Asked Questions

What is the difference between NSG and ASG?

NSG (Network Security Group) is a stateful firewall that controls traffic inside a VNet. It is applied at the subnet or NIC level and defines Inbound/Outbound rules based on IP/Port/Protocol. ASG (Application Security Group) is a complementary feature that logically groups NSG rule targets - you create role-based groups like Web Tier, App Tier, and DB Tier, then reference those groups in NSG rules instead of IP addresses, which dramatically simplifies rule management. The standard pattern is to use both together: NSG is the control engine, ASG is the logical grouping layer. In any enterprise VNet you should always leverage ASGs to keep NSG rules maintainable.

How do NSG rule priorities work?

NSG rules are evaluated in ascending order of priority (100-4096), and the first matching rule wins. 100 is the highest priority, 4096 the lowest. Three Default Rules ship at 65000-65500: AllowVnetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound (Inbound) and AllowVnetOutBound, AllowInternetOutBound, DenyAllOutBound (Outbound). These can be overridden by custom rules. The canonical design hierarchy is: 100-200 for ultra-high priority emergency blocks, 1000-3000 for normal Allow rules, 4000 for a custom default Deny, and leave the Default Rules untouched. Spacing priorities out leaves room to insert new rules later without renumbering existing ones.

What is the difference between Service Tags and FQDN Tags?

Service Tags are predefined IP address range groups for Azure services provided by Microsoft (60+ tags such as AzureCloud, Internet, VirtualNetwork, AzureKeyVault, AzureMonitor, Storage). They are used in NSGs and Azure Firewall Network Rules instead of raw IPs, and Microsoft auto-updates the ranges, so operational overhead is zero. FQDN Tags are FQDN groups used in Azure Firewall Application Rules (such as Microsoft365, WindowsUpdate, AzureBackup), HTTP/HTTPS only, fewer in number than Service Tags but covering the most common scenarios. NSGs only support Service Tags - FQDN Tags are exclusive to Azure Firewall. A common pattern: implement 'allow outbound from this subnet only to the Storage service' with Service Tag = Storage in an NSG.

Should I apply NSGs at the subnet level or the NIC level?

Subnet-level is the recommended approach. A subnet-level NSG applies uniformly to every resource in the subnet, which makes management easy and scalable. A NIC-level NSG is applied directly to an individual VM's NIC, and is meant for exception rules that apply to a specific VM only. Implementation pattern: configure baseline security with a subnet-level NSG, then add NIC-level NSGs only for VM-specific extras (when both subnet and NIC NSGs are applied, evaluation is AND-based - only traffic permitted by both passes). Best practice for any new VNet is to always configure a subnet-level NSG and reserve NIC-level NSGs for exceptions.

How should I design ASGs?

ASGs (Application Security Groups) create role-based logical groups: you associate an ASG with a VM's NIC, then reference the ASG as Source/Destination in NSG rules. A standard design has 4-5 ASGs: WebTier-ASG (web server VMs), AppTier-ASG (application VMs), DBTier-ASG (database server VMs), and MgmtTier-ASG (jumpboxes and management VMs). Example NSG rules: 'Internet -> WebTier-ASG TCP 80/443 Allow', 'WebTier-ASG -> AppTier-ASG TCP 8080 Allow', 'AppTier-ASG -> DBTier-ASG TCP 1433 Allow'. The payoff: you can manage security per role without worrying about VM IPs, and rules do not need to change when Auto Scale dynamically adds or removes VMs.

What are NSG Flow Logs?

NSG Flow Logs is a feature that records every flow passing through an NSG to a Storage Account in JSON format. It captures Allowed/Denied verdicts, source/destination IPs, ports, protocols, timestamps, and byte counts. Traffic Analytics (a paid Network Watcher feature) aggregates and visualizes these flows, with reports for Top Talkers, anomaly detection, and threat detection. Sending flows to Microsoft Sentinel integrates them into SOC analytics, where KQL queries can flag anomalies (for example, unexpected outbound traffic or a spike in Denied flows). Flow Logs v2 is the current version with aggregated reports; v1 is legacy. In production, Flow Logs are mandatory for compliance regimes (PCI DSS, HIPAA) and forensic investigation, with at least a 90-day retention as the standard.

What are the common NSG design pitfalls?

Common pitfalls: 1) Leaving the default Allow Outbound to Internet in place - every VM can reach the internet, creating data-exfiltration risk; add proper Deny rules. 2) Special subnet names (AzureBastionSubnet, GatewaySubnet) impose NSG constraints - Bastion subnets require specific rules, and NSGs are not recommended on Gateway subnets. 3) Ignoring Service Tag update timing - Microsoft refreshes IP ranges monthly, and brand-new IPs may be temporarily blocked. 4) Packing NSG rule priorities too densely makes later additions painful; leave gaps of 1000. 5) Skipping ASGs and hard-coding IPs breaks rules as soon as Auto Scale fires. 6) No Flow Logs means you cannot diagnose incidents. Catching these at design time dramatically reduces operational cost downstream.

Which certifications cover NSGs and ASGs?

AZ-700 (Network Engineer Associate) covers NSGs and ASGs in depth, with frequent questions on rule design, Service Tags, Flow Logs, Traffic Analytics, and ASG patterns. AZ-104 (Administrator) covers the basics in Domain 4; AZ-305 (Solutions Architect Expert) covers security design from an architect's perspective; SC-100 (Cybersecurity Architect Expert) covers zero-trust networking and microsegmentation; SC-500 (formerly AZ-500, GA September 2026) covers Azure security implementation. Understanding NSGs and ASGs is a non-negotiable skill for any engineer working with Azure.

Related Articles and Technical Deep Dives

Azure Network Watcher トラブルシューティング完全ガイド|Connection Troubleshoot・IP Flow Verify・Packet Capture【2026 年版】

Azure Network Watcher の完全ガイド。Connection Troubleshoot・IP Flow Verify・Next Hop・Packet Capture・NSG Flow Logs・Connection Monitor・Traffic Analytics・Effective Routes など全機能解説。標準トラブルシューティングフロー、関連認定試験 (AZ-700 / AZ-305 / SC-200) を日本語で網羅。

Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】

Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】

Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】

Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。

Technical information in this article is based on the Azure NSG Documentation. This article is not an official Microsoft Corporation product, and there is no partnership or sponsorship of any kind. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official sources as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit the Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.