To better illustrate how to manage NSGs, this article uses the scenario below.
In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:
- NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
- rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
- web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
- NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
- sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
- web-rule. This rule denies all internet bound traffic from the BackEnd subnet.
The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL traffic from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.
To deploy the scenario described above, follow this link, click Deploy to Azure, replace the default parameter values if necessary, and follow the instructions in the portal. In the sample instructions below, the template was used to deploy a resource group names RG-NSG.