Logically Segment Subnets

[abokov]

Segment the larger address space into subnets using Classless Inter-Domain Routing (CIDR) based subnetting principles to create your subnets. Routing between subnets will happen automatically and you do not need to manually configure routing tables. To create network access controls between subnets, you?ll need to put Network Security Group (NSG) between the subnets.

Best Practices

• Use a Network SecurityGroup to protect against unsolicited traffic into Azure subnets. Network security groups are simple, packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.
• When you use network security groups for network access control between subnets, ensure you put resources that belong to the same security zone or role in their own subnets.
• Simplify network security group rule management by defining ApplicationSecurityGroups.