Architect your Azure networking with Azure Network Security Group

Azure Network Security Group (NSG) is a not a new feature in Azure. While you may be familiar with it, have you used it in an effective way?

According to the official website, the definition for NSG will be containing Access Control List (ACL) that include the rules allowing or denying network traffic to the VM instances in a Virtual Network. We can quickly imagine that it can be used to divide the networks into DMZ, Web tiers, app tiers and database tiers which is just like what we are doing in on-premises environment. Here I share a case below, indicating how NSG helps us in a great effective way.

In some cases, people need to migrate their applications on Azure- the public cloud provided by Microsoft. The applications to be migrated on Azure are consisted of two systems and both of them need to be integrated in a hybrid environment and connected between on-premises and Azure with Azure VPN.

Originally, due to their security requirement we need to separate the systems by dividing the networks into two individual VNETs with site-to-site VPN connected to the on-premises site.


However, the above configuration requires dynamic routing to support the on-premises router for multiple S2S VPNs, and unluckily, the client router can only be supported by static routing and cannot be upgraded in a short period. So how can we workaround on this case?

The answer is Azure Network Security Group (NSG).


We thus created one VNET to contain both systems and assign different subnets for each system. Each subnet will be completely independent with each other as the NSG has blocked the network traffic between them. This approach works as if we apply a two-VNETs approach but without an extra S2S VPN between two VNETs as the original one. This provides much more flexibility to enable traffic between two systems by using Access Control List (ACL) rules in NSG, and to allow necessary traffic in the future.

Azure Network Security Group (NSG) helps our customer work around the limitation and dependency on their previous router device by separating two systems with NSG- an ever modernized approach.

While the above case illustrates a scenario around NSG, people are still face many other interesting issues like the bad performance in application layer caused by the infrastructure design during the development phase. In the next chapter in Part 2, we’ll take a look on the dependency between IOPS and latency and how it relates to your cloud networking performance. Stay tuned!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s