Azure Interview Prep

Appearance

Guide Metadata

Service Name: network security group and application security group Generation Approach: sequential_workflow Phases Completed: 5 Generation Complete: True Timestamp: 2025-09-01T12:22:48.923182 Config File: config/semantic_kernel_config.yaml

Azure Network Security Groups (NSGs) & Application Security Groups (ASGs) - Azure Service Guide

What is Azure Network Security Groups (NSGs) & Application Security Groups (ASGs)?

Azure Network Security Groups are stateful Layer 3 and Layer 4 virtual firewalls that control inbound and outbound network traffic to and from Azure resources through security rules based on source/destination IPs, ports, and protocols.
Azure Application Security Groups are logical groupings of NICs from VMs used for application-centric security rule management, enabling references to group names instead of IP addresses in NSG rules.

Simple Words Explanation:

  • NSG: Think of it as a rulebook at the door of your Azure resources deciding which traffic can come in or go out.
  • ASG: Think of it like name tags you give to computers, allowing you to make rules for "groups" instead of remembering specific IP addresses.

Key Use Cases

  • NSG - Internet Protection: Protecting workloads from direct inbound Internet access.
  • NSG - Layered Security: Isolating app tiers (Web → App → Database).
  • ASG - Dynamic Scaling: Simplifying rule management when VMs scale up/down.
  • ASG - Role-Based Grouping: Grouping web or database servers across subnets for easy NSG targeting.
  • NSG/ASG Together: Enforcing dynamic, tier-based application security without manual IP updates.

Service Categories/Types

  • NSG Subnet-level: Attach to entire subnets for shared rules.
  • NSG NIC-level: Attach to specific NICs for per-VM rules.
  • ASG: Logical NIC grouping within a single VNet for simpler NSG rules.

🎯 Core Concepts

Essential Terms & Definitions

TermDefinitionExample
NSGNetwork Security Group; a stateful firewall controlling VNet trafficAllow TCP 443 inbound
ASGApplication Security Group; logical VM NIC grouping for NSG targetingASG-WebServers
Security RuleA policy allowing or denying specific trafficDeny TCP 22 from Internet
Service TagAzure-managed labels for well-known services in rulesService Tag: Storage.WestUS
Stateful FilteringAutomatic return path allowance for permitted connectionsAllow inbound TCP 443 → outbound TCP 443 auto-allowed

Key Features

  • NSG Stateful Layer 3/4 filtering
  • Priority-Based Rules – Lowest number wins
  • Inbound/Outbound Control – For subnets/NICs
  • ASG Dynamic Grouping – IP-less rule management
  • Integration with Service Tags
  • Default Rules in NSGs – System-generated for Azure operations
  • NSG Flow Logs – For monitoring and auditing

Technical Deep Dive

NSG Processing:
Traffic is evaluated against inbound rules first (lowest priority first, first match wins). If allowed, traffic flows to the NIC or subnet. Outbound traffic is evaluated separately. NSGs are stateful — response traffic is automatically allowed.

ASG Integration:
ASGs are referenced in NSG rules instead of specific IPs. Adding/removing NICs from an ASG dynamically applies or removes policy without changing the NSG configuration.

🔄 Azure Service Comparisons

AttributeNSGASG
DefinitionStateful Layer 3/4 firewall for subnets/NICsLogical NIC grouping for NSG rules
Primary PurposeEnforce IP/Protocol/Port rulesAbstract IPs using group names
ScopeSubnets, NICsNICs in same VNet
FilteringDirect traffic controlNo filtering – references NSGs
Dynamic GroupingNoYes
Cross-VNet SupportYesNo
PricingFreeFree

Decision Matrix: | Factor | Choose NSG | Choose ASG | |--------|------------|------------| | Direct traffic control | ✅ | ❌ | | Avoid IP management | ❌ | ✅ | | Dynamic workloads | ❌ | ✅ | | Multi-VNet | ✅ | ❌ |

🌐 Networking Considerations

  • Attachment: NSGs can be attached to subnets or individual NICs.
  • ASG Membership: NICs in an ASG must be in the same VNet; NICs can be in multiple ASGs.
  • Chaining: NSG rules can use ASGs as source/destination.
  • Hub-and-Spoke: Apply NSGs in spokes, use ASGs for role-based targeting, optionally integrate with Azure Firewall in hub.
  • Monitoring: Use Network Watcher NSG Flow Logs for traffic analysis.

💰 Pricing & Cost Considerations

  • NSG: No direct cost (included in VNet service)
  • ASG: No direct cost
    Potential additional costs:
    • Cross-region or Internet-bound traffic
    • Azure Firewall or third-party NVA for higher layer inspection
      Optimization Tips:
    • Group rules in NSGs by role
    • Use ASGs to avoid frequent NSG edits due to IP changes

🔒 Security & Compliance

  • NSG:
    • Default deny inbound from Internet
    • Layer 3 & 4 filtering for East-West and North-South traffic
    • Supports Azure Policy enforcement
    • Flow logs for auditing
  • ASG:
    • Inherits NSG’s security/compliance posture
    • Supports Zero-Trust segmentation by logical grouping
      Compliance: Compatible with ISO 27001, HIPAA, SOC standards.

📊 Performance & Scalability

MetricNSGASG
Max Rules~1000 per NSGN/A
Max Associations1000 subnets/region1000 NICs/ASG
LatencySub-msNone
ScalingHandled by Azure fabricMembership changes auto-applied

Best Practices:

  • Use multiple NSGs for large, complex environments
  • Use ASGs for dynamic resource pools to minimize ops overhead

📝 Interview Preparation Checklist

Quick Recap with Key Answers

  • NSG: Firewall for network layers 3 & 4 in Azure.
  • ASG: Logical NIC grouping for easier NSG rule targeting.
  • Together: NSGs enforce rules; ASGs simplify rule definitions.

Architecture Scenarios Practice

  1. Three-tier App Security
    • Problem: Secure Web → App → DB communication without IP maintenance.
    • Solution: NSG rules referencing Web/App/DB ASGs.
    • Trade-off: Each ASG limited to single VNet.
  2. Dynamic VMSS Scaling
    • Problem: Manage security for auto-scaled VMs.
    • Solution: Put all VMSS NICs in an ASG; NSG rules reference ASG.
    • Trade-off: Must ensure ASG has all NICs on creation.
  3. Hub-Spoke with Central Firewall
    • Problem: Centralized North-South inspection.
    • Solution: Firewall in hub, NSGs in spokes, ASGs for grouping workloads.
    • Trade-off: More complex routing setup.

Must-Know Topics Checklist

  • [ ] NSG rule priority and evaluation
  • [ ] Inbound vs outbound NSG rules
  • [ ] Stateful behavior of NSGs
  • [ ] ASG limitations (same VNet only)
  • [ ] Hub-and-Spoke integration with NSGs/ASGs
  • [ ] NSG Flow Logs usage
  • [ ] Service Tags in NSG rules

Hands-On Practice Tasks

  • [ ] Deploy NSG at subnet level with inbound HTTPS allow rule
  • [ ] Create ASG and assign NICs from multiple VMs
  • [ ] Reference ASG in NSG rule for role-based traffic control
  • [ ] Capture and review NSG Flow Logs in Network Watcher
  • [ ] Use Service Tags in NSG rule for Azure service access

❓ Common Interview Questions

Alright — based on your research and technical content, here’s the full interview preparation set for Azure Network Security Groups (NSGs) and Application Security Groups (ASGs), strictly following your EXACT structure and comprehensive coverage guidelines.

Azure Network Security Group (NSG) & Application Security Group (ASG) – Interview Question Bank

❓ Common Interview Questions

Fundamental Questions

  • What is an Azure Network Security Group (NSG) and its primary purpose?
  • What is an Azure Application Security Group (ASG) and its primary purpose?
  • How do NSGs and ASGs differ in terms of function and scope?
  • At which OSI layers do NSGs operate?
  • How does an Application Security Group simplify security management?
  • What are the main components and rule elements of an NSG?
  • What are service tags in the context of NSGs?
  • When should you use an NSG versus an ASG in Azure?
  • When should you not use an NSG or ASG?
  • What are the key advantages and limitations of NSGs?
  • What are the key advantages and limitations of ASGs?
  • How do NSGs and ASGs interact with Azure’s Virtual Network Service?
  • What is the pricing model for NSGs and ASGs?
  • What are common use cases for NSGs?
  • What are common use cases for ASGs?
  • How do NSGs/ASGs compare to Azure Firewall or NVA appliances?
  • What industries benefit most from NSGs & ASGs?
  • How do they align with zero-trust network segmentation principles?
  • How do NSGs and ASGs fit into hybrid or multi-cloud architectures?
  • How has Microsoft evolved NSG/ASG functionality in recent years?
  • What are common misconceptions about NSGs or ASGs?

Technical Questions

  • How do you associate an NSG with a subnet and NIC?
  • What is the precedence if both subnet-level and NIC-level NSGs are applied?
  • How do NSG rules get evaluated in terms of priority?
  • What are the default inbound and outbound rules in an NSG?
  • How does stateful traffic filtering work in NSGs?
  • How do you implement inbound and outbound rules in an NSG?
  • What Azure CLI or PowerShell commands can create and manage NSGs?
  • What is the role of ASGs in reducing IP dependency in NSG rules?
  • How do you create and associate an ASG to a NIC?
  • Can an ASG span multiple VNets or regions? Why or why not?
  • How do NSGs leverage Azure service tags?
  • How do NSGs integrate with Azure Network Watcher?
  • How do you capture traffic logs from an NSG?
  • What security features exist in NSGs to prevent misconfiguration?
  • How do NSGs integrate with Microsoft Defender for Cloud?
  • How do you troubleshoot blocked traffic in an NSG/ASG setup?
  • How do you handle NSG scaling in large enterprise deployments?
  • How do NSGs participate in high-availability workloads?
  • How can you automate NSG/ASG deployment (ARM templates, Terraform, etc.)?
  • How can you optimize rule management for large-scale environments?
  • How do NSGs interact with Azure Load Balancers and Application Gateways?
  • How do NSGs handle traffic in peered VNETs?
  • What is the difference between NSG Flow Logs version 1 and version 2?
  • How do you secure sensitive workloads on Azure using NSGs/ASGs?
  • How do you limit outbound traffic from VMs using NSGs?
  • How would you enforce compliance policies on NSGs using Azure Policy?
  • What encryption and data protection options are available?
  • What are known platform limitations for NSGs and ASGs?
  • What are the Azure subscription limits for NSGs, ASGs, and their rules?

Scenario-Based Questions

  1. Multi-Tier Segregation – Design security rules for a three-tier application (Web, App, DB) using NSGs and ASGs to ensure only minimal required communication.
  2. Cost Optimization – You need to secure 200 VMs that autoscale in/out daily. How would you design using ASGs to avoid frequent IP updates?
  3. Latency Troubleshooting – Users are facing latency accessing an application hosted behind multiple NSGs. Walk me through your troubleshooting process.
  4. On-Prem Migration – Migrate a legacy on-prem application to Azure, replacing physical firewalls with NSG/ASG equivalents.
  5. High Availability – Build multi-region high availability for a web application using NSGs to restrict cross-region access patterns.
  6. Disaster Recovery – Implement DR strategy ensuring security policies replicate consistently across DR regions.
  7. Sensitive Workloads – Secure a set of financial applications from both internal and external threats using NSGs, ASGs, and other Azure controls.
  8. Compliance Enforcement – How would you enforce PCI-DSS or HIPAA compliance requirements via NSGs and ASGs in Azure?
  9. Traffic Spike Handling – Prepare NSG/ASG policies for sudden high inbound traffic from known sources while blocking others.
  10. Multi-Tenant Setup – Design logical VM grouping for 10 different customers using ASGs to simplify security while ensuring tenant isolation.
  11. Hybrid Cloud Security – Integrate NSG/ASG with site-to-site VPNs for secure communication between Azure and on-prem systems.
  12. Consistency Across VNets – Maintain identical NSG/ASG rules across separate environments (dev/test/prod).
  13. Mission-Critical Monitoring – Integrate NSGs with Azure Monitor to track allowed/denied traffic for a regulated application.
  14. Global Rollout – Deploy consistent NSG/ASG policies for an application rollout in 5 Azure regions.
  15. Region Outage Recovery – Update NSG/ASG rules rapidly when failing over from one region to another.
  16. Version Upgrade – When Azure announces NSG API changes, plan version migration without downtime.
  17. CI/CD Integration – Automate NSG and ASG deployments as part of IaC pipelines.
  18. Business Justification – Present ROI analysis for transitioning from manual IP-based NSG rules to ASG-based policies.
  19. POC Deployment – Build a Proof of Concept to show NSG/ASG benefits to stakeholders.
  20. SLA Violation Response – What steps would you take if NSG-protected workloads do not meet agreed latency SLAs?

📝 Interview Preparation Checklist

Quick Recap with Key Questions

Core Service Knowledge

  • What is an NSG?
  • What is an ASG?
  • What are the primary use cases for each?
  • What are the key differentiators between them?
  • Advantages and limitations of each?
  • What is the pricing model?

Technical Essentials

  • Main components of NSGs.
  • Performance limitations and subscription limits.
  • How NSG rule evaluation works.
  • Security features and stateful behavior.
  • Compliance standards supported.

Integration & Architecture

  • Common Azure services that integrate with NSGs/ASGs.
  • Common architectural patterns for workload segmentation.
  • When to use NSG vs ASG vs Azure Firewall.
  • HA & DR strategies with NSGs and ASGs.

Architecture Scenarios Practice

Scenario 1: Multi-Tier Application Segmentation

  • Business Problem: Isolate tiers while allowing only necessary communications.
  • Architecture: NSG per subnet + ASGs per tier.
  • Trade-Offs: Complexity vs maintainability.

Scenario 2: Autoscaling Web Farm

  • Business Problem: Frequent IP changes due to scale sets.
  • Implementation: Use ASGs for rule stability.
  • Risks: Over-permissive grouping.

Scenario 3: Regulated Financial App

  • Challenge: Meet strict compliance (PCI-DSS).
  • Design: NSG + Azure Policy integration.
  • Operational Practices: Continuous monitoring.

Scenario 4: DR Region Replication

  • Problem: Mirror NSG/ASG rules to DR site.
  • Approach: ARM template deployment.
  • Risks: Drift between environments.

Scenario 5: Hybrid VPN Security

  • Problem: Secure hybrid connectivity with NSGs.
  • Implementation: Tight outbound/inbound IP restrictions.
  • Mitigation: Test failover scenarios.

Scenario 6: Secure Management Access

  • Problem: Restrict RDP/SSH to specific admin IPs.
  • Solution: Inbound NSG with allow rules for known IPs only.
  • Trade-Off: Operational overhead.

Scenario 7: Global Policy Enforcement

  • Problem: Standardize network security globally.
  • Implementation: Azure Policy to govern NSGs.
  • Risk: Policy conflicts with legacy workloads.

Scenario 8: App Gateway + NSG Integration

  • Problem: Protect backend pools behind Application Gateway.
  • Implementation: NSG with allow rules only from gateway's IP.
  • Risks: Gateway IP change.

Scenario 9: Logging and Analytics

  • Problem: Capture and analyze traffic data.
  • Approach: NSG Flow Logs + Network Watcher.
  • Risks: Excessive log costs.

Scenario 10: Peered VNets Security

  • Problem: Limit traffic between peered VNets.
  • Approach: NSGs on peered VNet subnets.
  • Risks: Unintended app breakage.

Must-Know Topics Checklist

  • [ ] NSG concepts and rule structure.
  • [ ] ASG concepts and how they integrate with NSGs.
  • [ ] Primary NSG/ASG use cases.
  • [ ] Pricing and cost considerations.
  • [ ] Security best practices for NSGs/ASGs.
  • [ ] Compliance/governance integration.
  • [ ] Scaling and subscription limits.
  • [ ] Monitoring & troubleshooting processes.
  • [ ] High availability and DR design with NSGs/ASGs.
  • [ ] Integration with Azure Policy, Firewall, Load Balancer.
  • [ ] Cost and rule optimization strategies.
  • [ ] Migration from IP-based rules to ASG-based policy.

If you want, I can also prepare a companion “Deep-Dive Scenario Solutions Guide” with technical answer walkthroughs to these 20 scenarios for advanced interview readiness.

Do you want me to prepare that next?