Intro to Network Security Groups
Start course
1h 26m

This course covers how to implement Azure network security. Through a combination of both theory and practical demonstrations, you will learn how to create and configure a range of Azure services designed to keep your network secure.

This includes topics such as virtual network connectivity, the Azure Front Door Service, NSG configuration, Azure firewall configuration, and application security groups. The course then moves on to the configuration of remote access management via just-in-time access and tools that are used to configure baselines.

We’d love to get your feedback on this course, so please give it a rating when you’re finished. If you have any queries or suggestions, please contact us at

Learning Objectives

  • Understand how to implement Azure network security
  • Learn about the various Azure services and methodologies available to secure your network

Intended Audience

This course is intended for IT professionals who are interested in earning Azure certification and for those who work with Microsoft Azure on a daily basis.


To get the most from this course, you should have at least a basic understanding of Azure network resources such as virtual networks, Azure firewalls, and network security groups.



Network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network. When you create a network security group, that group will contain security rules that allow or deny inbound network traffic to or outbound network traffic from many types of Azure resources.

A network security group can contain many security rules as you require or it can contain zero security rules. Each rule defined within a network security group requires a unique name within the security group, a priority, a source or destination, a protocol, a direction, a port range, and an action.

The priority is a number between 100 and 4,096. This priority determines the order in which rules are processed. Rules with lower priority numbers are processed before those with higher numbers and once traffic matches a specific rule, processing of remaining rules stops.

When you define a source or destination for a security rule, what you are doing is telling the rule whether the destination is an individual IP address, any IP address, a CIDR block, a particular service tag, or an application security group.

The protocols that you can configure within a security rule include TCP, UDP, ICMP, or Any, and as far as directions go, you can configure security rules to apply to either inbound or outbound traffic.

When defining a security rule, you can specify an individual port for it to apply to or you can specify a range of ports. For example, you can specify something like port 443 or you can specify a range like ports 10,000 to 11,000.

Defining ranges allows you to create fewer security rules, since you don't have to create an individual rule for each port.

The action that you define for a security rule can be either allow or deny. This determines what happens when the rule is matched.

In the next lesson, I'm going to show you how to create a network security group and how to configure a security rule.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.