Microsoft Azure — fundamentals/02core13 min

Networking in Azure (VNet, NSG, Private Link, Bastion)

Networking in Azure means the Virtual Network (VNet) — an isolated address space in which your resources live. Understanding VNets, segmentation and private access is critical for security — and these are exactly the configurations ZEUS checks for exposure.

VNet and subnets

A VNet has an address range (e.g. 10.0.0.0/16) divided into subnets. Resources in the same VNet communicate privately; different VNets are connected via peering.

# Utwórz VNet z podsiecią
az network vnet create \
  --resource-group rg-zeus-net \
  --name vnet-zeus-weu \
  --address-prefix 10.0.0.0/16 \
  --subnet-name snet-app \
  --subnet-prefix 10.0.1.0/24

NSG — a firewall at the subnet/NIC level

A Network Security Group is a set of rules that filter traffic (the 5-tuple: source, destination, port, protocol, direction). Rules have priorities; the first match wins.

Priority	Name	Source	Port	Action
100	Allow-HTTPS-In	Internet	443	Allow
4096	DenyAllInbound (default)	*	*	Deny

# Reguła: zezwól na HTTPS z internetu
az network nsg rule create \
  --resource-group rg-zeus-net --nsg-name nsg-app \
  --name Allow-HTTPS --priority 100 \
  --access Allow --protocol Tcp --direction Inbound \
  --destination-port-ranges 443 --source-address-prefixes Internet

Tip: the most common misconfiguration ZEUS catches is an NSG rule with source = Internet (*) on port 22 (SSH) or 3389 (RDP). Never expose management directly to the internet.

Private Link and Private Endpoint

PaaS services (Azure SQL, Storage, Key Vault) have a public endpoint by default. A Private Endpoint gives them a private IP address inside your VNet — traffic never leaves Microsoft's network and does not traverse the internet. This is the foundation of zero-trust architecture for PaaS.

az network private-endpoint create \
  --resource-group rg-zeus-net --name pe-sql \
  --vnet-name vnet-zeus-weu --subnet snet-app \
  --private-connection-resource-id "<sql-server-id>" \
  --group-id sqlServer --connection-name conn-sql

Azure Bastion — administrative access without public IPs

Bastion is a managed service that provides RDP/SSH access to VMs through the browser (port 443), without assigning public addresses to machines and without opening ports 22/3389. It is deployed in a dedicated AzureBastionSubnet subnet.

How ZEUS sees it

Through Azure Resource Graph, ZEUS reads the network topology: VNets, subnets, NSG rules, public IPs and Private Endpoint configuration. On this basis it flags resources that are publicly exposed (e.g. a VM with a public IP and an open management port) as well as PaaS databases without Private Link. This is one of the most important security posture signals.

Next lesson: compute — when to choose a VM, when Container Apps, and when AKS.

Networking in Azure (VNet, NSG, Private Link, Bastion)#

VNet and subnets#

NSG — a firewall at the subnet/NIC level#

Private Link and Private Endpoint#