Step-By-Step Demo Of Creating Azure Virtual Network, Subnets And Network Security Groups - Part One

In this article, I am going to explain how to create an Azure Virtual Network, Subnets, and Network Security Groups and how to associate them with Virtual Machines.

To understand more about what Virtual Networks, Subnets, Network Security Groups are and topics around them, read my article here. You will need an Azure Subscription to go ahead with this demo.

Step 1

Go to and sign in with your credentials. Click on "Create a Resource", search for Virtual Network, and click on Virtual Network in the results.


Step 2

It will open a new blade. Click on "Create".

Step 3

Give a name to your VNet. Since we are going to have subnets inside our VNet, we need to have the address space as


Step 4

Select the resource group that you want or create a new one. Give a name to your subnet as FrontEndSubnet and give the address range as We are going to create another subnet later on. "Pin to dashboard" and click "Create".


Step 5

Open your Virtual Network and click on subnets. Click on "Add" to add your second subnet.


Step 6

Give the name BackendSubnet to it. Set the address range/CIDR block as Leave Network Security Group and Route Table empty since we are going to create them later on. Click on OK.


Step 7

You will see that the available addresses are 251 in both the CIDR blocks. Because the first four and the last, i.e., a total of five,  addresses are used for reserve purposes and cannot be used.


Step 8

Now, we are going to create two Network Security Groups. One will be for the front-end and the other one will be for the back-end.

Step 9

Front End NSG will use two rules,
  • rdp-rule: This will allow RDP traffic to the Front End Subnet.
  • web-rule: This will allow HTTP traffic to the Front End Subnet.
Step 10

Back End NSG will use three rules,
  • sql-rule: This allows SQL traffic only from the Front End Subnet.
  • web-rule: This denies all internet bound traffic from the Back End Subnet.
  • rdp-rule: This will allow RDP traffic to the Back End Subnet.
Step 11

Click on "Create Resouce" and search for Network Security Group. Click "Create".

Step 12

Give the name FrontEndNSG and use the existing resource group in which you've made the virtual network. Click "Create".


Step 13

Likewise, create one more NSG for the back-end.

Step 14

Go to your FrontEndNSG and click on Inbound Security Rules. Click on "Add".


Step 15

Give the source as any so that the source port ranges would become * i.e., from anywhere. Set destination as any. The destination port will be 80. The protocol will be TCP and the action will be "Allow".


Step 16

The priority will be 100. The lower the number, the higher the priority. Make sure to give the priorities in multiples of 100 so that if something new comes up, we can easily fix it in between. Give the name WebRuleAllow. Click on "OK".


Step 17

Now, we are making a rule for RDP. Add a new rule. Keep everything as it is except the port number and priority. Change the port number to 3389 and priority to 110. Click on OK. Port number 3389 is for RDP access. You might get a warning saying that this is just for testing purposes and not for production use.


Step 18

The two rules have been created successfully.


Step 19

Then in the BackEnd NSG, create a new inbound rule with everything else same except the port number and name. The port number should be 1433 and the name will be SQLRuleAllow.


Step 20

Add a new outbound security rule whose action will be Deny, port number will be 80 and name will be HttpRuleDeny.


Step 21

So far, we have created our NSGs but we have not assigned them to our subnets. So next, we are going to do that.

Step 22

Go to your VNet, then to the FrontEndSubnet and click on Network Security Group. Click on FrontEndNSG and click on Save.


Step 23

Similarly assign BackEndNSG to BackEndSubnet.

Step 24

Now we need to create Virtual Machines for our Virtual Network where we are going to create one Virtual Machine for each of our subnets. We will do that and more in the next part of the article. 
The link to the second part of this article is here