DEV Community

Cover image for Managing and Updating Virtual Networks in Microsoft Azure
Oladosu Ibrahim
Oladosu Ibrahim

Posted on

Managing and Updating Virtual Networks in Microsoft Azure

#cloudcomputing #networking #cloudstorage #azure

Introduction

In today’s cloud-driven world, securing file transfers is critical for organizations working with sensitive data. Azure provides a powerful way to isolate traffic, enforce access policies, and maintain secure communication between resources. One common use case is setting up a subnet specifically for SFTP traffic and locking it down with a Network Security Group (NSG) that controls which ports and protocols are allowed.

In this hands-on lab, you’ll simulate a real-world scenario where a finance department needs a dedicated subnet for SFTP file transfers. You’ll create a subnet on an existing Virtual Network (vNet), deploy a custom Network Security Group, and restrict traffic to port 22 for secure FTP. This project strengthens your practical understanding of Azure networking and security fundamentals.

Skilling Objectives

  • Create and manage subnets on a virtual network
  • Deploy a Network Security Group (NSG) to control inbound access
  • Create security rules that allow only specific traffic (e.g., SFTP on port 22)
  • Associate a subnet with an NSG to enforce secure access policies

Architecture Overview

You’ll be working within an existing Azure virtual network (guided-project-vnet) and building out the following components:

  • A new subnet named ftpSubnet for SFTP traffic
  • A Network Security Group (NSG) named ftpNSG to control access
  • An inbound security rule to allow only port 22 (SFTP)
  • An association between the NSG and the new subnet for enforcement

This structure mirrors how enterprise environments segment workloads and lock down access for specific services.

Lab Instructions

🧠 Prerequisite: Ensure you have an active Azure subscription and access to the Azure portal.

Step 1: Create a New Subnet on an Existing Virtual Network

To logically isolate SFTP traffic, you will create a new subnet within your existing vNet.

  1. Log in to the Azure Portal: https://portal.azure.com
  2. In the search bar, type Virtual networks and select the service.

  3. Choose the existing virtual network named guided-project-vnet.
    description 1

  4. In the left-hand menu under Settings, click Subnets.

  5. Click the + Subnet button.
    description 2

  6. For Name, enter: ftpSubnet

  7. Leave Subnet purpose as Default and keep other settings unchanged.

  8. Click Add to complete the process.
    description 3

✅ You’ve now created a dedicated subnet for secure SFTP file transfers.

Step 2: Create a Network Security Group (NSG)

A Network Security Group (NSG) acts like a virtual firewall, allowing or denying traffic to resources in Azure. Here, you’ll create an NSG that allows only SFTP (port 22) traffic into the subnet.

  1. Return to the Azure home page.

  2. In the search bar, type Network security groups and open the service.
    description 4

  3. Click + Create.
    description 5

  4. Make sure your Subscription and Resource Group (e.g., guided-project-rg) are correct.

  5. For Name, enter: ftpNSG

  6. Click Review + create, then select Create.
    description 6

  7. Wait for the deployment to complete and click Go to resource.
    description 7

Step 3: Create an Inbound Security Rule

You’ll now define a security rule within the NSG to explicitly allow SFTP traffic on port 22 and deny other types of incoming connections by default.

  1. In the ftpNSG resource page, select Inbound security rules from the Settings menu.
  2. Click + Add to create a new rule.
  3. For Destination port ranges, change from the default to 22.
  4. Set the Protocol to TCP.
  5. For Name, enter: ftpInbound.
  6. Click Add to save the rule. description 8

🔒 This rule ensures that only traffic on port 22 (used by SFTP) will be allowed into the subnet.

Step 4: Associate NSG with the Subnet

The final step is to bind the newly created NSG to the ftpSubnet. This applies the security rule and restricts access to just port 22.

  1. Go back to the Virtual networks page and open guided-project-vnet.
  2. Under Settings, click Subnets.
  3. Select the ftpSubnet you previously created.
  4. In the Edit subnet window, locate the Network security group field.
  5. Select ftpNSG from the dropdown.
  6. Click Save. description 9

✅ Your ftpSubnet is now protected by a firewall that allows only SFTP traffic.

Real-World Example

Imagine you're working at a financial company that needs to transfer monthly reports to a secure server. To prevent unauthorized access or data breaches, the IT team creates a dedicated "lane" (subnet) just for SFTP trucks (traffic). Then, they install a security guard (NSG) at the entrance who checks every truck and only allows the one carrying a special port-22 pass. All others are denied entry.

This ensures sensitive data like salaries or taxes are transferred safely, away from public traffic.

Conclusion

In this practical Azure lab, you’ve completed an end-to-end setup for deploying a secure SFTP-enabled subnet using Azure Virtual Networks and Network Security Groups. You’ve learned how to:

  • Create a new subnet for isolated traffic
  • Define custom NSG rules
  • Secure the subnet by associating it with an NSG
  • Allow only trusted port access (SFTP)

These steps replicate what many cloud engineers and IT administrators do in real production environments—designing secure, scalable, and segmented network architectures. Mastering this process is an essential step toward becoming cloud-proficient, whether you're building internal tools, supporting DevOps pipelines, or handling enterprise workloads.

🔐 Security isn’t an afterthought — it’s the foundation. Keep building!

Top comments (0)