Table of Contents
Where Can You Associate Network Security Groups in an Azure VNet?
Get a clear AZ-500 explanation on where to associate Network Security Groups (NSGs). Learn the difference between applying NSGs to subnets and VM NICs, and how traffic rules are evaluated for complete Azure network security.
Question
Network Security Groups (NSG) can be associated with which of the following Azure network elements?
A. VNet, VM NIC
B. VNet, subnet
C. subnet, VM NIC
D. VNet, subnet, VM NIC
Answer
C. subnet, VM NIC
Explanation
The correct answer is C. Network Security Groups (NSGs) can be associated with subnets within a virtual network or with individual virtual machine network interfaces (NICs).
NSGs can be associated to Azure subnets or VM NICs.
Network Security Group Association Points
A Network Security Group acts as a stateful firewall, containing a list of security rules that allow or deny network traffic. The effectiveness of an NSG depends on where it is associated within the Azure network hierarchy.
Association with a Subnet
When an NSG is associated with a subnet, its rules are applied to all resources connected to that subnet, including all virtual machine NICs within it. This is the recommended approach for applying a broad set of security rules to a group of related resources, such as all the web servers in a web tier subnet. It simplifies management by providing a single point of control for the entire subnet.
Association with a VM NIC
An NSG can also be associated directly with the network interface of a specific virtual machine. In this case, the NSG’s rules apply only to the traffic flowing in and out of that single NIC. This method is used for applying granular, machine-specific rules that may differ from the broader subnet policy. It allows for creating exceptions or applying stricter security for a high-value VM.
How Rules Are Evaluated
It is critical to understand how rules are processed when NSGs are applied at both levels:
- Inbound Traffic: For traffic coming into a VM, the rules in the subnet-associated NSG are evaluated first. If the traffic is allowed by the subnet NSG, the rules in the NIC-associated NSG are evaluated next. The traffic must be permitted by both NSGs to reach the VM.
- Outbound Traffic: For traffic leaving a VM, the process is reversed. The rules in the NIC-associated NSG are evaluated first. If allowed, the rules in the subnet-associated NSG are then evaluated. The traffic must be permitted by both NSGs to leave the network.
Why Other Options Are Incorrect
NSGs cannot be associated directly with a Virtual Network (VNet). A VNet is the overarching network boundary, and security is controlled at more granular levels within it. Therefore, any option including “VNet” (A, B, and D) is incorrect.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.