Azure Virtual Network Security

Overview

Azure Virtual Network (VNet) provides an isolated, private network environment for your Azure resources. Security is a layered approach that combines segmentation, access control, threat protection, and monitoring.

Subnet security

Design your VNet with multiple subnets to isolate workloads. Apply Network Security Groups (NSGs) at subnet or NIC level to enforce inbound and outbound rules.

  • Use separate subnets for front‑end, application, and data tiers.
  • Reserve a dedicated subnet for Azure services (e.g., Azure Bastion, Azure Firewall).
  • Limit traffic flow using Service Tags and Application Security Groups.

Network Security Groups (NSG)

NSGs contain security rules that allow or deny network traffic based on source/destination IP, port, and protocol.

Typical rule set

# Allow SSH from bastion
Priority: 100
Protocol: TCP
Source: AzureBastion
SourcePortRange: *
Destination: VirtualNetwork
DestinationPortRange: 22
Action: Allow

# Deny Internet inbound
Priority: 200
Protocol: *
Source: Internet
SourcePortRange: *
Destination: VirtualNetwork
DestinationPortRange: *
Action: Deny

For more details, see Network Security Groups documentation.

Azure Firewall

Azure Firewall provides stateful, application‑level filtering for outbound and inbound traffic. Deploy it in a dedicated subnet (AzureFirewallSubnet).

  • Threat intelligence‑based filtering
  • Fully managed, highly available
  • Integration with Azure Monitor and Log Analytics

Configuration example:

resource firewall 'Microsoft.Network/azureFirewalls@2022-07-01' = {
  name: 'myFirewall'
  location: resourceGroup().location
  sku: {
    name: 'AZFW_VNet'
    tier: 'Standard'
  }
  properties: {
    networkRuleCollections: [
      {
        name: 'AllowWeb'
        priority: 200
        action: { type: 'Allow' }
        rules: [
          {
            name: 'AllowHTTP'
            protocol: 'Http'
            sourceAddresses: ['10.0.0.0/16']
            destinationAddresses: ['*']
            destinationPorts: ['80','443']
          }
        ]
      }
    ]
  }
}

DDoS Protection

Enable Standard DDoS Protection for critical resources. It provides automatic attack mitigation and telemetry.

  • Automatic traffic scrubbing at the Azure global edge.
  • Integration with Azure Monitor for alerts.
  • Policy‑based protection per VNet.

Best practices

  1. Use a hub‑spoke topology; place security services in the hub.
  2. Apply least‑privilege NSG rules.
  3. Segment workloads with dedicated subnets.
  4. Enable Azure Policy for security configurations.
  5. Log all traffic using Network Watcher and Azure Monitor.

Sample ARM template

The following ARM template creates a VNet with two subnets, an NSG, and associates the NSG to the application subnet.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vnetName": { "type": "string", "defaultValue": "myVNet" },
    "addressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16" },
    "appSubnetName": { "type": "string", "defaultValue": "appSubnet" },
    "appSubnetPrefix": { "type": "string", "defaultValue": "10.0.1.0/24" },
    "nsgName": { "type": "string", "defaultValue": "appSubnet-nsg" }
  },
  "resources": [
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2022-07-01",
      "name": "[parameters('vnetName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "addressSpace": { "addressPrefixes": ["[parameters('addressPrefix')]"] },
        "subnets": [
          {
            "name": "[parameters('appSubnetName')]",
            "properties": {
              "addressPrefix": "[parameters('appSubnetPrefix')]",
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2022-07-01",
      "name": "[parameters('nsgName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTPIn",
            "properties": {
              "priority": 100,
              "protocol": "Tcp",
              "access": "Allow",
              "direction": "Inbound",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*"
            }
          },
          {
            "name": "DenyAllOutbound",
            "properties": {
              "priority": 200,
              "protocol": "*",
              "access": "Deny",
              "direction": "Outbound",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*"
            }
          }
        ]
      }
    }
  ]
}