Published on

Azure Virtual Network & NSG Configuration

  • avatar
    Prasanth Panneer Selvam

Overview

This case study demonstrates how Azure Virtual Networks (VNet) and Network Security Groups (NSG) were configured to isolate and secure cloud infrastructure.

The objective of this implementation was to create a private network environment for Azure resources and enforce strict traffic control using security rules.

This networking setup ensures that cloud resources communicate securely while minimizing exposure to the public internet.

This implementation is part of the Secure Azure Storage Architecture project.

Architecture Objective

The networking architecture was designed to achieve the following:

  • Isolate Azure resources within a private virtual network
  • Segment network traffic using subnets
  • Control inbound and outbound traffic using Network Security Groups
  • Reduce the public attack surface of the infrastructure
  • Follow Azure networking and security best practices

Azure Services Used

  • Azure Virtual Network (VNet)
  • Network Security Groups (NSG)
  • Azure Subnets
  • Azure Storage Account

Virtual Network Planning

Address Space and Subnet Configuration

Azure VNet Address Space and Subnets

The Virtual Network was designed with a dedicated address space and subnet segmentation to support secure communication between Azure resources.

Configured subnets include:

  • Default Subnet
  • Public Subnet
  • Private Subnet

Subnet segmentation improves traffic control and creates a stronger security boundary inside the Azure environment.

Review and Create

Azure VNet Review and Create

Before deployment, Azure validates the network configuration to confirm that the address space, subnet allocations, resource group, and region settings are correctly defined.

This review step helps prevent configuration errors before the Virtual Network is created.

Network Security Group Configuration

Creating Inbound Security Rules

NSG Inbound Rule Configuration

A Network Security Group was configured to control inbound and outbound network traffic.

An inbound rule was created to allow SSH (Port 22) access for administrative connectivity while restricting unnecessary traffic.

Key rule parameters included:

  • Protocol: TCP
  • Port: 22
  • Action: Allow
  • Priority: 300

NSG rules are evaluated based on priority, which ensures that traffic is filtered according to explicitly defined policies.

Restricting SSH Access to a Trusted IP

NSG SSH Restricted IP

To improve security, SSH access was restricted to a specific trusted IP address instead of being opened broadly.

This significantly reduces the risk of unauthorized access and brute-force attacks by allowing administrative access only from an approved source.

Verifying NSG Rule Creation

NSG Rule Added

After the inbound rule was created, it appeared in the NSG rule list.

This confirms that the security policy was successfully applied and is now actively controlling inbound traffic to the environment.

Associating NSG with the Subnet

NSG Association Configuration

NSG Association Configuration

The Network Security Group was configured to be associated with the subnet so that all resources inside that subnet inherit the defined traffic rules.

This provides centralized traffic control at the subnet level.

NSG Successfully Associated with Subnet

NSG Associated with Subnet

After the association was completed, the subnet showed the attached NSG successfully.

By associating the NSG at the subnet level:

  • All resources inside the subnet inherit the security rules
  • Traffic entering or leaving the subnet is filtered
  • Unauthorized access attempts are blocked automatically

This approach strengthens the overall security posture of the Azure environment.

Security Benefits

Implementing Azure Virtual Networks and Network Security Groups provides several key security advantages:

  • Network isolation for cloud infrastructure
  • Controlled inbound and outbound traffic
  • Reduced exposure to the public internet
  • Improved security posture for Azure resources

These controls form a foundational layer of defense for securing Azure workloads.

Relationship to Main Project

This networking configuration is part of the larger Secure Azure Storage Architecture implementation.

The Virtual Network and NSG setup ensure that storage services and supporting infrastructure operate within a secure and controlled network environment.

➡️ View the full CloudGuard project: CloudGuard – Azure Secure Cloud Infrastructure