Azure Network Security and Routing Explained for AZ-104

Opening a port on an Azure VM to the internet takes about ten seconds. That ease of configuration is also a risk. Azure's network security model is built around layered controls: Network Security Groups filter traffic at the subnet and NIC level, Azure Firewall provides centralized stateful inspection across the environment, User Defined Routes force traffic through inspection points, and Azure Bastion eliminates the need to expose RDP and SSH ports to the internet at all. The AZ-104 exam tests NSG rule priority and evaluation, the differences between NSGs and Azure Firewall, how User Defined Routes override system routes, and when to use Bastion versus other access methods.

8 min

3 sections · 7 exam key points

Network Security Groups and Application Security Groups

A Network Security Group (NSG) contains rules that allow or deny traffic. Each rule specifies a source, destination, port, protocol, and action. Rules are evaluated in priority order, lowest number first. The first matching rule wins: Azure stops evaluating lower-priority rules once a match is found. Every NSG has default rules at high priority numbers (65000, 65001, 65500) that allow VNet-internal traffic, allow Azure Load Balancer traffic, and deny all other inbound traffic. You cannot delete default rules but can override them by adding rules at lower priority numbers.

NSGs can be attached to subnets (applying to all resources in the subnet) and to individual NICs (applying only to that specific network interface). When an NSG is attached to both the subnet and the NIC, traffic must satisfy both NSGs: the subnet NSG is evaluated first for inbound traffic, then the NIC NSG. For outbound traffic, the NIC NSG is evaluated first, then the subnet NSG. NSGs are stateful: if you allow inbound traffic on port 80, the response traffic is automatically permitted without a separate outbound rule.

Application Security Groups (ASGs) let you group VMs logically and reference those groups in NSG rules. Instead of specifying individual IP addresses for your web servers, you assign those VMs to a WebServer ASG and write a rule that allows traffic to the WebServer ASG. When new web servers are added to the ASG, they automatically inherit the rules. ASGs simplify NSG management in environments where IP addresses change or where you want to express security policy in application terms rather than network terms.

Azure Firewall, User Defined Routes, and Azure Bastion

Azure Firewall is a fully managed, stateful network firewall deployed in its own dedicated subnet (AzureFirewallSubnet). Unlike NSGs, which are simple allow/deny rules, Azure Firewall supports FQDN-based filtering (allow traffic to api.example.com regardless of IP), threat intelligence integration that blocks known malicious IPs, TLS inspection for HTTPS traffic, intrusion detection and prevention (in Premium SKU), and centralized policy management through Azure Firewall Policy. Azure Firewall is the right tool when you need application-layer awareness, FQDN filtering, or centralized inspection across multiple VNets.

User Defined Routes (UDRs) override Azure's default system routes to force traffic through a specific next hop. The most common use is hub-and-spoke networking with a central firewall: you create a UDR in spoke subnets with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP as the next hop. All outbound traffic from the spoke then flows through the firewall for inspection before reaching the internet or other VNets. Without UDRs, Azure would route traffic directly using system routes.

Azure Bastion provides browser-based RDP and SSH access to VMs through the Azure portal without requiring a public IP address on the VM or opening RDP (port 3389) or SSH (port 22) ports in an NSG. Bastion is deployed in the AzureBastionSubnet of a VNet and connects to VMs in that VNet or peered VNets. The Standard SKU adds support for connecting to VMs in peered VNets, IP-based connections, and shareable links. Just-in-Time VM Access in Microsoft Defender for Cloud is an alternative: it allows temporary NSG rules that open specific ports for a defined duration upon request.

How to choose the correct answer

NSG: stateful layer 4 filtering by IP, port, protocol. Attached to subnet or NIC. Low-cost, basic traffic control.

NSG priority: lower number = higher priority. First matching rule wins. Default rules at 65000-65500 cannot be deleted.

ASG: logical grouping of VMs referenced in NSG rules. Simplifies rules for dynamic environments.

Azure Firewall: centralized, stateful, FQDN-filtering, threat intelligence. Requires dedicated subnet.

UDR: override system routes to force traffic through NVA or Azure Firewall. Required for hub-spoke inspection.

Azure Bastion: browser-based RDP/SSH, no public IP on VM, no open RDP/SSH port in NSG.

NSG vs Azure Firewall: NSG for subnet/NIC-level filtering. Azure Firewall for centralized, FQDN-aware, policy-based control.

Azure network security controls

Control	Scope	Awareness	Best for
NSG	Subnet or NIC	Layer 4 (IP, port, protocol)	Basic traffic filtering for individual subnets or VMs
Azure Firewall	Centralized (hub VNet)	Layer 7 (FQDN, URLs, TLS inspection)	Centralized inspection, FQDN filtering, threat intelligence
ASG	Logical VM groups	Layer 4 (via NSG rules)	Simplifying NSG rules for groups of VMs
UDR	Route table for subnet	Layer 3 (routing)	Forcing traffic through inspection points
Azure Bastion	VNet	Management access (RDP/SSH)	Secure VM access without public IPs or open ports

Key exam facts — AZ-104

NSG rules: priority 100-4096, lower number wins, first match applies. Cannot modify default rules (65000+).

NSG on subnet + NIC: both evaluated. Subnet NSG first (inbound), NIC NSG first (outbound).

NSG is stateful: return traffic for allowed connections is automatically permitted.

Azure Firewall: deployed in AzureFirewallSubnet, supports FQDN filtering, threat intel, IDPS (Premium).

UDR next hop options: Virtual network gateway, VNet, Internet, Virtual appliance, None.

Azure Bastion: requires AzureBastionSubnet (/26 minimum), Standard SKU for peered VNet access.

ASG: assign NICs to ASG, reference ASG in NSG rules instead of individual IPs.

Common exam traps

NSGs are evaluated in the order they were created.

NSGs evaluate rules strictly by priority number, lowest to highest. The order of creation is irrelevant. When you create a new rule, you assign it a priority number, and that determines when it is evaluated relative to other rules. If two rules could match the same traffic and both have a match, only the lower-priority-number rule (the higher priority) applies.

Azure Firewall and NSGs do the same job and you only need one of them.

NSGs are subnet or NIC-level allow/deny rules for IP, port, and protocol. They are distributed, attached to individual resources, and have no application-layer awareness. Azure Firewall is a centralized, fully stateful firewall with FQDN-based filtering, threat intelligence, TLS inspection, and policy-based management. Most enterprise environments use both: NSGs for basic perimeter rules and Azure Firewall for centralized inspection in a hub-spoke topology.

Just adding a UDR with a 0.0.0.0/0 route pointing to Azure Firewall is enough to enforce firewall inspection.

UDRs redirect traffic to the firewall, but Azure Firewall also needs rules that allow the traffic through. Traffic sent to Azure Firewall that does not match any allow rule is denied by default. You need both the UDR to direct traffic to the firewall and firewall rules that permit the required traffic. Forgetting the firewall rules after adding UDRs is a common cause of connectivity failures.