NSGs, ASGs & Service Tags: AZ-500 Networking Fundamentals

Network Security Groups (NSGs)

An NSG is a stateful firewall applied to a subnet or a NIC. Rules are evaluated in priority order (lowest number wins with highest priority). Rules 65000 to 65500 are default rules you cannot delete:

Exam tip: NSGs are stateful. If inbound traffic is allowed, the return traffic is automatically allowed even if there is no explicit outbound rule.

Application Security Groups (ASGs)

ASGs let you group VMs by role (for example, "WebServers" or "DatabaseServers") and reference that group in NSG rules instead of individual IPs. As VMs are added to or removed from an ASG, NSG rules update automatically.

Use case: allow WebServers ASG to reach DatabaseServers ASG on port 1433: no IP management required.

Service Tags

Service Tags represent Microsoft-managed IP ranges for Azure services. Instead of maintaining a list of Azure SQL IPs, you write a rule allowing the Sql service tag on port 1433.

Key service tags for the exam: AzureCloud, Storage, Sql, AzureLoadBalancer, VirtualNetwork, Internet, AzureMonitor. Exam trap: Service Tags are read-only. You cannot create custom service tags. For custom grouping use ASGs.

NSG Association Priority

An NSG on a subnet and an NSG on a NIC both apply. Traffic must be allowed by both. For inbound: subnet NSG evaluates first, then NIC NSG. For outbound: NIC NSG evaluates first, then subnet NSG.