Cyber Intelligence
Secure Networking · 20% of exam

L6. NSGs, ASGs & Service Tags

Course outlineLesson 6 of 18

Network Security Groups are the exam's most common networking topic. Learn rule priority, the difference between NSGs and ASGs, and how Service Tags simplify rules for Azure platform services.

Network Security Groups (NSGs)

An NSG is a stateful firewall applied to a subnet or a NIC. Rules are evaluated in priority order (lowest number wins with highest priority). Rules 65000 to 65500 are default rules you cannot delete:

PriorityRuleAction
65000AllowVnetInBoundAllow
65001AllowAzureLoadBalancerInBoundAllow
65500DenyAllInBoundDeny
Exam tip: NSGs are stateful. If inbound traffic is allowed, the return traffic is automatically allowed even if there is no explicit outbound rule.

Application Security Groups (ASGs)

ASGs let you group VMs by role (for example, "WebServers" or "DatabaseServers") and reference that group in NSG rules instead of individual IPs. As VMs are added to or removed from an ASG, NSG rules update automatically.

Use case: allow WebServers ASG to reach DatabaseServers ASG on port 1433: no IP management required.

Service Tags

Service Tags represent Microsoft-managed IP ranges for Azure services. Instead of maintaining a list of Azure SQL IPs, you write a rule allowing the Sql service tag on port 1433.

Key service tags for the exam: AzureCloud, Storage, Sql, AzureLoadBalancer, VirtualNetwork, Internet, AzureMonitor. Exam trap: Service Tags are read-only. You cannot create custom service tags. For custom grouping use ASGs.

NSG Association Priority

An NSG on a subnet and an NSG on a NIC both apply. Traffic must be allowed by both. For inbound: subnet NSG evaluates first, then NIC NSG. For outbound: NIC NSG evaluates first, then subnet NSG.

Exam Focus Points
  • NSGs are stateful: allowed inbound traffic gets automatic return without an explicit outbound rule
  • Rule priority: lowest number wins. Default deny-all is priority 65500 and cannot be deleted
  • ASGs group VMs by role: NSG rules reference the group, not individual IPs
  • Service Tags = Microsoft-managed IP ranges (Sql, Storage, AzureCloud, etc.): cannot create custom ones
  • When NSG on subnet AND on NIC: inbound = subnet first then NIC; outbound = NIC first then subnet
Knowledge Check

1. An NSG has two inbound rules: Priority 100 allows port 443 from Internet, Priority 200 denies all traffic. What happens to an HTTPS request from the internet?

2. What is the primary purpose of Application Security Groups (ASGs) in Azure networking?

3. Which service tag would you use in an NSG rule to allow traffic from all Azure data center IP ranges globally?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available