Azurecloud~5 mins

Why network isolation matters in Azure - Why It Works

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Network isolation helps keep parts of your cloud setup separate and safe. It stops unwanted access and keeps your data and apps protected from outside threats.

When you want to keep your database hidden from the internet but accessible to your app servers.

When you run multiple apps on the same cloud but want to prevent them from talking to each other.

When you need to control which users or services can reach certain parts of your cloud network.

When you want to limit damage if one part of your system is hacked.

When you want to meet security rules that require separating sensitive data.

Config File - azure-network-isolation.json

azure-network-isolation.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2021-05-01",
      "name": "myVNet",
      "location": "eastus",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "10.0.0.0/16"
          ]
        },
        "subnets": [
          {
            "name": "appSubnet",
            "properties": {
              "addressPrefix": "10.0.1.0/24"
            }
          },
          {
            "name": "dbSubnet",
            "properties": {
              "addressPrefix": "10.0.2.0/24",
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'dbNSG')]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-05-01",
      "name": "dbNSG",
      "location": "eastus",
      "properties": {
        "securityRules": [
          {
            "name": "AllowAppSubnet",
            "properties": {
              "priority": 100,
              "protocol": "Tcp",
              "access": "Allow",
              "direction": "Inbound",
              "sourceAddressPrefix": "10.0.1.0/24",
              "sourcePortRange": "*",
              "destinationAddressPrefix": "10.0.2.0/24",
              "destinationPortRange": "1433"
            }
          },
          {
            "name": "DenyInternet",
            "properties": {
              "priority": 200,
              "protocol": "Tcp",
              "access": "Deny",
              "direction": "Inbound",
              "sourceAddressPrefix": "Internet",
              "sourcePortRange": "*",
              "destinationAddressPrefix": "10.0.2.0/24",
              "destinationPortRange": "*"
            }
          }
        ]
      }
    }
  ]
}

This template creates a virtual network with two subnets: one for apps and one for databases.

The database subnet has a Network Security Group (NSG) attached that allows traffic only from the app subnet on port 1433 (common for SQL Server).

It also blocks all internet traffic to the database subnet, isolating it from outside access.

Commands

This command deploys the network isolation setup to the Azure resource group named example-rg using the template file.

Terminal

az deployment group create --resource-group example-rg --template-file azure-network-isolation.json

Expected OutputExpected

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Resources/deployments/azure-network-isolation", "name": "azure-network-isolation", "properties": { "provisioningState": "Succeeded", "outputs": {} } }

→

--resource-group - Specifies the Azure resource group to deploy to

→

--template-file - Specifies the ARM template file to use for deployment

This command checks the details of the database subnet to confirm the NSG is attached and settings are correct.

Terminal

az network vnet subnet show --resource-group example-rg --vnet-name myVNet --name dbSubnet

Expected OutputExpected

{ "addressPrefix": "10.0.2.0/24", "delegations": [], "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/dbSubnet", "name": "dbSubnet", "networkSecurityGroup": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example-rg/providers/Microsoft.Network/networkSecurityGroups/dbNSG" }, "provisioningState": "Succeeded" }

→

--resource-group - Specifies the resource group where the subnet exists

→

--vnet-name - Specifies the virtual network name

→

--name - Specifies the subnet name to show

This command lists the rules in the Network Security Group to verify the allow and deny rules are in place.

Terminal

az network nsg rule list --resource-group example-rg --nsg-name dbNSG

Expected OutputExpected

[ { "name": "AllowAppSubnet", "priority": 100, "access": "Allow", "direction": "Inbound", "protocol": "Tcp", "sourceAddressPrefix": "10.0.1.0/24", "destinationAddressPrefix": "10.0.2.0/24", "destinationPortRange": "1433" }, { "name": "DenyInternet", "priority": 200, "access": "Deny", "direction": "Inbound", "protocol": "Tcp", "sourceAddressPrefix": "Internet", "destinationAddressPrefix": "10.0.2.0/24", "destinationPortRange": "*" } ]

→

--resource-group - Specifies the resource group of the NSG

→

--nsg-name - Specifies the NSG to list rules from

Key Concept

If you remember nothing else from this pattern, remember: network isolation keeps sensitive parts of your cloud safe by controlling who can talk to them.

Common Mistakes

Not attaching the Network Security Group to the subnet

Without attaching the NSG, the isolation rules do not apply and the subnet remains open.

Always link the NSG to the subnet in your network setup to enforce isolation.

Allowing internet traffic to sensitive subnets

This exposes your sensitive resources to attacks from outside your cloud environment.

Explicitly deny internet access in NSG rules for sensitive subnets.

Using overly broad source address prefixes in NSG rules

This can accidentally allow unwanted traffic from outside trusted sources.

Use specific IP ranges or subnet prefixes to tightly control allowed traffic.

Summary

Deploy a virtual network with separate subnets for apps and databases.

Attach a Network Security Group to the database subnet to allow only app subnet traffic and block internet access.

Use Azure CLI commands to deploy the setup and verify the subnet and NSG rules.