Azure NSGs and Route Tables for Traffic Control
You will filter traffic with Network Security Groups and steer it with user-defined routes (UDRs), including forcing traffic through a firewall appliance. By the end you will control both what is allowed and the path packets take.
Learning Objectives
- Write priority-ordered NSG rules for least privilege.
- Create a UDR that overrides default system routes.
- Inspect effective rules and routes on a NIC.
- Time: ~3 hours · Difficulty: Intermediate · Prereqs: a VNet with VMs.
Architecture Overview
graph LR
Net((Internet)) -->|NSG allow 443| Web[web subnet]
Web -->|UDR next hop| FW[Firewall appliance]
FW --> App[app subnet]
Environment Setup
You will need: a VNet with at least two subnets and the Azure CLI.
Before you begin: NSG rules are evaluated by priority, lowest number first.
Step-by-Step Execution
01
Create an NSG allow rule
az network nsg create -n web-nsg && az network nsg rule create --nsg-name web-nsg -n allow-https --priority 100 --destination-port-ranges 443 --access Allow --protocol Tcp02
Create a UDR forcing traffic via a firewall
A user-defined route overrides Azure's default routing so traffic must pass your inspection point.
az network route-table create -n rt-app && az network route-table route create --route-table-name rt-app -n to-fw --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.3.403
Inspect effective rules and routes
$ az network nic show-effective-route-table -n web01VMNic -o table
Source AddressPrefix NextHopType NextHopIp
User 0.0.0.0/0 VirtualAppliance 10.0.3.4
Progress So Far
graph LR
A[01 NSG rule] -->|done| B[02 UDR]
B -->|done| C[03 Effective routes]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
az network nic show-effective-route-table -n web01VMNic --query "value[?nextHopType=='VirtualAppliance']"You should see the appliance as the next hop for 0.0.0.0/0, confirming traffic is forced through your firewall. NSG denies should appear in flow logs.
Troubleshooting
- Rule has no effect: a lower-priority number wins; reorder so the intended rule precedes broad denies.
- UDR ignored: associate the route table with the subnet, not just create it.
- Appliance drops traffic: enable IP forwarding on the appliance NIC.
Extension Ideas
- Compare cloud NSGs with the cross-cloud view in Network Security Groups.
- Audit rules with CSPM.
- Codify NSGs/UDRs with IaC.
Key Results
- Enforced least-privilege inbound rules via NSG priorities.
- Forced all egress through a firewall appliance with a UDR.
- Verified the effective route table on the VM NIC.
- Combined filtering and routing for defense in depth.