Azure Network Security Groups: Network Micro-Segmentation for Berlin Small Businesses

Azure Network Security Groups (NSGs) are the foundational layer of network access control in Azure, allowing you to permit or deny inbound and outbound traffic to subnets and individual virtual machines using rules based on source and destination IP address, port, and protocol. For Berlin small businesses running workloads in Azure, NSGs provide micro-segmentation that prevents lateral movement between VMs even within the same virtual network — a critical containment capability that limits the blast radius of any breach. NSGs are included at no additional cost with every Azure subscription.

How NSG Rules Work

Each NSG contains a set of inbound and outbound security rules evaluated in priority order (lower number = higher priority). Each rule specifies source, destination, port range, protocol (TCP/UDP/ICMP/Any), and action (Allow/Deny). Azure includes a set of default rules that permit VNet-to-VNet traffic and Azure load balancer probes while denying all inbound internet traffic by default. Custom rules override defaults when their priority is lower. NSGs can be associated with subnets (applying to all VMs in the subnet) and individual network interfaces (applying to a single VM), with both applying when associated — the effective rules are the union evaluated by priority.

A well-designed NSG architecture for Berlin SMBs typically places application tiers in separate subnets with NSGs enforcing the allowed communication paths: web tier receives inbound HTTPS from the internet; application tier receives only from the web tier subnet; database tier receives only from the application tier subnet. This tiered segmentation prevents a compromise of the web server from directly reaching the database.

Application Security Groups for Simplified Management

Application Security Groups (ASGs) allow you to tag VMs with logical labels (e.g., “WebServers”, “DatabaseServers”) and write NSG rules that reference these labels rather than specific IP addresses. This approach scales cleanly as you add or remove VMs — the ASG membership updates automatically without requiring NSG rule changes. For organizations deploying multiple application environments in Azure, ASGs dramatically reduce the administrative overhead of maintaining IP-based NSG rules as infrastructure changes.

NSG Flow Logs and Network Watcher

NSG flow logs record all allowed and denied connection attempts through an NSG to an Azure Storage account or Log Analytics workspace, providing full visibility into network traffic patterns. Flow logs are essential for compliance evidence — demonstrating that network access controls are functioning as intended — and for security investigations, allowing you to determine whether unexpected connections were attempted between systems. Azure Network Watcher’s traffic analytics processes flow logs to surface anomalies, top talkers, and blocked connections in a visual dashboard.

Integration with Defender for Cloud and Azure Firewall

Microsoft Defender for Cloud continuously audits NSG configurations and raises recommendations when management ports such as RDP (TCP 3389) or SSH (TCP 22) are exposed to the internet without restriction. Just-in-time VM access in Defender for Cloud dynamically modifies NSG rules to open management ports only when explicitly requested by an authorized administrator, for a limited time window, from a specified IP address — eliminating persistent internet-accessible management port exposure without requiring Azure Bastion. NSGs complement Azure Firewall: NSGs handle intra-VNet segmentation and subnet-level controls, while Azure Firewall handles north-south traffic inspection, FQDN filtering, and threat intelligence-based blocking.

Need to implement proper network segmentation for your Azure workloads in Berlin? IT Experts Berlin designs NSG architectures that enforce least-privilege communication paths, enables flow logs for audit evidence, and integrates NSG management with Defender for Cloud recommendations.