Configuring Network Security Group Structure

Owned by Madhuri Dange (Unlicensed)
Apr 28, 2023

Below points are for reference purpose only. Please follow the guidelines as per your organization to meet the Network and the Security Infrastructure requirements. 

To configure Network Security Group structure for Aptify application on Azure, follow the instructions given below:

Global Virtual Network creation

Creation of global virtual network B-Non-Prod-Spoke-vNet

  • Created one global virtual network which connects all the resources to the virtual network.
  • We have given address space - 10.2.0.0/16


Subnet Creation

  • Created subnets for the resources like application gateway, private endpoint, Virtual Machine, and managed instance.
    • Subnet name MYAGSubnet created for application gateway with range - 10.2.2.0/26
    • Subnet name PE-Subnet created for private app services endpoint with range - 10.2.1.0/29
    • Subnet name MI-Subnet is created for managed instance with range - 10.2.4.0/26
    • Subnet name VM-Subnet is created for Virtual Machine with range - 10.2.3.0/24
    • We have also created one gateway subnet with range - 10.2.6.0/24


  • Created NSG for application gateway, Private Endpoint and Managed Instance.

Note: We have not set any specific inbound and outbound rules for now in NSG)

  • Created Application Gateway within our virtual network
    • We have created one application gateway named CBIndiaApplicationGateway.
    • This gateway is associated with our global virtual network and specific subnet name MYAGSubnet(we have explained above about this subnet).
    • This gateway contains AptifyServicesAPI app services as a backend target.
    • Also, we have created one rule to create route between application gateway and app services.
    • We have not created any health probes; we are using custom one.
    • We have kept host name same as services host name.We have not created any custom domain for same.




  • Converted our public app service endpoint to private endpoint
    • For POC purpose we have created one public endpoint named as AptifyServicesAPI which is our Aptify web services.
    • Now we have turned those services to private endpoint and then we have associated new DNS to that.
    • We have also added this private endpoint to our global virtual network and subnet named PE-Subnet.
    • We got one private link and private IP address to connect this private endpoint
    • In below screenshot you will see we have switched on our private endpoint for AptifyServicesAPI app service.


  • Created Virtual Machine and Configured Bastion to connect our private endpoint
    • To connect our private endpoint, we have created one virtual machine
    • In that virtual machine we have configured Bastion connection within same virtual network and dedicated subnet for that named VM-Subnet
    • Then after manually configuration we are able to run our private endpoint within that bastion VM.



  • Key Points for Aptify Web Azure Architecture
    • We have kept virtual network and subnet address range same as provided by Microsoft team.
    • We have created one new resource group for all these POC.
    • We have not created any delegated subnet for private endpoints to connect managed instance.
    • We have not added report servers for this architecture POC.
    • We have referred Microsoft blogs and document to create this architecture.