-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

The fundamental Cloud Security concepts were covered in documents 1-6 and can be found here. This document addresses another important aspect of cloud security – the network. As network security is specific to each cloud service provider, this document concentrates on Microsoft Azure and provides an overview of some of the key security services and resources it provides to cloud architects.

The network infrastructure in Microsoft Azure contains the following components:

  • Azure Virtual Network (VNet) – A logical isolated section of the Azure cloud for a specific customer to launch resources.
  • Subnet – A segment of a VNet’s IP address range where you can place groups of isolated resources.
  • Network Security Group (NSG) – A virtual firewall for an instance to control inbound and outbound traffic. NSGs can be applied to individual VMs, subnets, or both.
  • Azure Virtual Network Service Endpoints – These endpoints allow you to secure your critical Azure service resources to only your virtual networks (Example of services: Azure Storage, Azure SQL Database, Azure Key Vault, etc.)


Instructions for creating an Azure Network Security Group (NSG)


Best practices for Azure NSG:



AWS vs Azure: AWS Security Groups and Microsoft Azure Network Security Groups


Azure security best practices and patterns:


Azure Network Security Best Practices:


Azure Security Best practices: