https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

Create a virtual network
Create application security groups
Create a network security group
Associate network security group to subnet
Create security rules
Create virtual machines
Associate network interfaces to an ASG
Test traffic filters

Create a virtual network


Create application security groups


Create a network security group


Associate network security group to subnet


Create security rules

Create a security rule that allows ports 80 and 443 to the myAsgWebServers application security group. In Add inbound security rule page, enter or select this information:


Now make and Allow-RDP-ME (Using whats my ip)

Destination application security group Select myAsgMgmtServers.

Create virtual machines

Virtual machine name Enter myVMWeb.
Select inbound ports Select None.
Subnet Select subnet31 (10.50.0.0/24).

Public IP Leave the default of a new public IP.
NIC network security group Select None.

Create it and redeploy them template from the portal, edit Virtual Machine RG to same as the rg

Virtual machine name Enter myVMMgmt.
Select inbound ports Select None.
Subnet Select subnet31 (10.50.0.0/24).
Public IP Leave the default of a new public IP.
NIC network security group Select None.


Associate network interfaces to an ASG

Add the network interface of each VM to one of the application security groups you created previously:

80 and 443

Management VM

3389 RDP


Test traffic filters

Test RDP to myVMMgmt from internet

Test RDP to myVMWEb from myVMMgmt

Open a PowerShell session on myVMMgmt. Connect to myVMWeb using the following:

mstsc /v:myVmWeb

The RDP connection from myVMMgmt to myVMWeb succeeds because virtual machines in the same network can communicate with each other over any port by default.

Test RDP to myVMWEb from internet

Correct due to ASG

To install Microsoft IIS on the myVMWeb virtual machine, enter the following command from a PowerShell session on the myVMWeb virtual machine:

Or from the myVMWeb virtual machine -> Run Command -> RunPowerShellScript

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Visit the myVMWeb , cp the public IP, is allowed due to ASG

Visit the myVMMgmt , cp the public IP, is denied due to ASG