Lab 02 – Network Security Groups & Application Security Groups

Objectives

Prerequisites

Estimated time

35 minutes

---

Part 1 – Setup

  1. Search for Resource groups > Create. Name: rg-az104-lab13,

region: East US. Review + create > Create.

  1. Search for Virtual networks > Create. Resource group:

rg-az104-lab13, Name: vnet-lab13, Address space: 10.60.0.0/16.

Subnets: subnet-web with 10.60.1.0/24. Create.

  1. Create two VMs:

- Virtual machines > Create > vm-web01, Ubuntu 22.04 LTS,

Standard_B1s, vnet-lab13/subnet-web. Create.

- Repeat for vm-web02.

Part 2 – Create an NSG and rules

  1. Search for Network security groups > Create.

- Resource group: rg-az104-lab13

- Name: nsg-web

- Region: East US

- Create.

  1. Go to nsg-web > Inbound security rules > + Add.

important

NSG rules are evaluated in priority order (lower number = higher priority). Rules are stateful — if inbound traffic is allowed, response traffic is automatically allowed outbound.

  1. Create rule 1: Allow SSH from your IP only

- Source: IP addresses, enter your public IP (e.g., 203.0.113.0/32)

- Source port ranges:

- Destination: Any

- Service: SSH (auto-fills port 22)

- Protocol: TCP

- Action: Allow

- Priority: 100

- Name: Allow-SSH-MyIP

- Add.

  1. Create rule 2: Allow HTTP from anywhere

- Source: Any

- Service: HTTP (port 80)

- Action: Allow

- Priority: 110

- Name: Allow-HTTP

- Add.

  1. (Optional) Create rule 3: Deny all (illustrative)

- Source: Any

- Destination: Any

- Action: Deny

- Priority: 4096

- Name: Deny-All-Inbound

- Add

Part 3 – Associate NSG to subnet

  1. Go to nsg-web > Subnets > + Associate.
  2. Select vnet-lab13 / subnet-web > OK.

The NSG is now applied at the subnet level, affecting all VMs in that subnet.

Part 4 – Application Security Groups

  1. Search for Application security groups > Create.

- Resource group: rg-az104-lab13

- Name: asg-webservers

- Region: East US

- Create.

  1. Add VM NICs to the ASG:

- Go to vm-web01 > Networking > select the NIC (e.g.,

vm-web01) > Application security groups > Configure

application security group memberships > add asg-webservers > Save.

- Repeat for vm-web02.

  1. Create an NSG rule targeting the ASG:

- nsg-web > Inbound security rules > + Add.

- Source: Application security group: asg-webservers

- Destination: Application security group: asg-webservers

- Service: HTTPS (port 443)

- Action: Allow

- Priority: 120

- Name: Allow-HTTPS-To-WebASG

- Add.

This rule allows HTTPS traffic between members of the asg-webservers group

without needing to hardcode IP addresses.

Part 5 – Effective security rules & IP flow verify

  1. Go to vm-web01 > Networking > select the NIC > Network Watcher

(or search Network Watcher) > Effective security rules to see the

merged subnet + NIC-level rules.

  1. Network Watcher > IP flow verify (under Network diagnostic tools):

- VM: vm-web01

- Direction: Inbound

- Protocol: TCP

- Local IP/port: 10.60.1.4:80 (or the actual private IP)

- Remote IP/port: 10.60.1.100:12345 (a test IP)

- Check — should show Allow (matching the HTTP rule).

  1. Repeat with port 22 from a non-allowed source IP — expect Deny.

Part 6 – Rule priority & evaluation order

Discuss (no need to execute):

priority); first match wins.

    1. Default rules (priority 65000+): AllowVnetInBound, AllowAzureLoadBalancerInBound,

DenyAllInBound (and outbound equivalents) — cannot be deleted, but can be

overridden by lower-numbered custom rules.

if both exist.

Validation

Cleanup

  1. Resource groups > select rg-az104-lab13 > Delete resource group**.

Exam Tips