MicrosoftDocs
diff --git a/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/7-knowledge-check.yml‎
Lines changed: 2 additions & 2 deletions b/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/7-knowledge-check.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/1-introduction.md‎
Lines changed: 17 additions & 15 deletions b/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/1-introduction.md‎
Lines changed: 17 additions & 15 deletions
diff --git a/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/2-create-resource-group-azure-portal.md‎
Lines changed: 4 additions & 2 deletions b/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/2-create-resource-group-azure-portal.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/3-create-virtual-networking-infrastructure.md‎
Lines changed: 19 additions & 49 deletions b/‎learn-pr/wwl-azure/filter-network-traffic-network-security-group-using-azure-portal/includes/3-create-virtual-networking-infrastructure.md‎
Lines changed: 19 additions & 49 deletions
@@ -25,7 +25,7 @@ quiz:
     - content: "Provides storage for Azure resources"
       isCorrect: false
       explanation: "Incorrect. A network security group doesn't provide storage for Azure resources."
-    - content: "Enables the automation and validation of the creation and teardown of environments to help deliver secure and stable application hosting platforms"
+    - content: "Enables the automation of filtering inbound and outbound network traffic for Azure resources"
       isCorrect: true
       explanation: "Correct. A network security group is used to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network, helping to deliver secure and stable application hosting platforms."
   - content: "What happens to network traffic that doesn't match any NSG rules?"
@@ -50,7 +50,7 @@ quiz:
     - content: "By automatically applying antivirus software to all virtual machines within a group"
       isCorrect: false
       explanation: "Incorrect because ASGs don't deal with antivirus software; their purpose is to simplify network security management by grouping VMs for security rule application."
-  - content: "A network administrator is planning to minimize the number of security rules and changes needed. They are considering using service tags or application security groups, rather than individual IP addresses or ranges of IP addresses. What should they ensure about the network interfaces in both application security groups?"
+  - content: "A network administrator is planning to minimize the number of security rules and changes needed. They're considering using service tags or application security groups, rather than individual IP addresses or ranges of IP addresses. What should they ensure about the network interfaces in both application security groups?"
     choices:
     - content: "They must exist in different virtual networks"
       isCorrect: false
 
@@ -1,23 +1,25 @@
-Network security is a critical aspect of maintaining a secure and reliable infrastructure. Azure provides a powerful tool called Network Security Group (NSG) that allows organizations to filter network traffic and enforce access controls in their cloud environments. In this training module, we will explore how to utilize Azure NSG to enhance network security and protect your resources.
+Network security is fundamental to protecting cloud resources from unauthorized access and threats. Azure Network Security Groups (NSGs) provide a critical layer of defense by filtering network traffic to and from Azure resources within a virtual network. NSGs act as distributed firewalls, allowing you to control traffic flow using security rules based on source, destination, port, and protocol.
+
+In modern cloud environments, implementing defense-in-depth strategies requires multiple layers of security controls. NSGs are one essential component of this approach, working alongside other Azure security services to create comprehensive network protection.
 
 ## Scenario
 
-Imagine your work as a cloud architect for a growing e-commerce company. The company has recently migrated its infrastructure to Microsoft Azure and wants to ensure that network traffic to their resources is secure and restricted to authorized sources. As the responsible architect, you need to implement effective network security measures using Azure NSG.
+You work as a cloud architect for a growing e-commerce company that migrated its infrastructure to Microsoft Azure. The company operates a multi-tier application with web servers, application logic servers, and database servers. Your task is to implement network security controls to ensure that:
 
-## Learning Objectives
+- Web servers only accept HTTPS traffic from the internet
+- Application servers only accept traffic from web servers
+- Database servers only accept traffic from application servers
+- All unauthorized traffic is blocked and logged for security analysis
 
-By the end of this training module, participants will:
+You use Azure Network Security Groups to implement these access controls and establish secure network segmentation.
 
- -  Understand the purpose and benefits of using Azure NSG to filter network traffic.
- -  Learn how to create and configure NSGs to enforce access controls for Azure resources.
- -  Gain insights into how NSGs can be used to allow or deny specific types of traffic based on source, destination, and port.
- -  Understand how to prioritize NSG rules and leverage Azure NSG flow logs for monitoring and troubleshooting.
- -  Recognize the role of NSGs in implementing network security best practices in Azure.
+## Learning Objectives
 
-## Goals
+By the end of this module, you'll be able to:
 
- -  Enable participants to effectively utilize Azure NSG to filter network traffic and enforce access controls.
- -  Improve participants' understanding of network security concepts in Azure.
- -  Provide participants with hands-on experience in creating and configuring NSGs.
- -  Empower participants to implement network security best practices and restrict unauthorized access to Azure resources.
- -  Enhance participants' ability to monitor and troubleshoot network traffic using NSG flow logs.
+- Create and configure network security groups to filter network traffic in Azure virtual networks
+- Define security rules based on source, destination, port, and protocol to allow or deny specific traffic
+- Understand how NSGs evaluate inbound and outbound traffic using priority-based rules
+- Implement application security groups to simplify security management for multi-tier applications
+- Apply network security best practices using NSGs to protect Azure resources
+- Monitor and troubleshoot network traffic using NSG diagnostic capabilities
@@ -1,6 +1,8 @@
-A **Resource Group** is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
+Before creating network security resources, you need a resource group to organize and manage them. A **resource group** is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group.
 
-The **Resource Group stores metadata about the resources**. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.
+Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group. In this module, you create a resource group to contain your virtual network, subnets, and network security groups.
+
+**Resource groups store metadata about the resources**. When you specify a location for the resource group, you're specifying where that metadata is stored. For compliance reasons, you need to ensure that your data is stored in a particular region.
 
 **Example: Azure Resource Group**
 
 
@@ -18,62 +18,32 @@ Key scenarios that you can accomplish with a virtual network include:<br>
  -  Routing network traffic
  -  Integration with Azure services.
 
-Based on the principle of “never trust, always verify,” Zero Trust helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement. Implementing a true Zero Trust model requires that all components—user identity, device, network, and applications—be validated and proven trustworthy. Zero Trust verifies identity and device health prior to granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user, thus reducing the risk of lateral movement within the environment. In an ideal Zero Trust environment, the following four elements are necessary:
+Based on the principle of “never trust, always verify,” Zero Trust helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement. Implementing a true Zero Trust model requires that all components—user identity, device, network, and applications—be validated and proven trustworthy. Zero Trust verifies identity and device health before granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user. Least privilege reduces the risk of lateral movement within the environment. In an ideal Zero Trust environment, the following four elements are necessary:
 
- -  Strong identity authentication everywhere (user verification via authentication)
- -  Devices are enrolled in device management, and their health is validated
- -  Least-privilege user rights (access is limited to only what is needed)
- -  The health of services is verified (future goal)
+- Strong identity authentication everywhere (user verification via authentication)
+- Devices are enrolled in device management, and their health is validated
+- Least-privilege user rights (access is limited to only what is needed)
+- The health of services is verified (future goal)
 
-## Communicate with the internet<br>
+## Network communication behavior
 
-All resources in a virtual network can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public load balancer. You can also use public IP, Network Address Translation (NAT) gateway, or public load balancer to manage your outbound connections.
+By default, Azure virtual networks allow:
 
-> [!NOTE]
-> When using only an internal Standard Load Balancer, outbound connectivity is not available until you define how you want outbound connections to work with an instance-level public IP or a public load balancer.<br>
+- All outbound traffic to the internet
+- All traffic between resources in the same virtual network
+- Traffic between peered virtual networks
 
-## Communicate between Azure resources<br>
+Network security groups override these defaults by explicitly allowing or denying traffic based on your security requirements. When you create NSG rules, you define exactly which traffic is permitted, implementing a defense-in-depth security strategy.
 
-Azure resources communicate securely with each other in one of the following ways:
+## Filtering network traffic
 
- -  **Through a virtual network**: You can deploy VMs, and other types of Azure resources to a virtual network. Examples of resources include Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets.<br>
- -  **Through a virtual network service endpoint**: Extend your virtual network private address space and the identity of your virtual network to Azure service resources. Examples of resources include Azure Storage accounts and Azure Structured Query Language (SQL) Database, over a direct connection. Service endpoints allow you to secure your critical Azure service resources to only a virtual network.<br>
- -  **Through virtual network peering**: You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. The virtual networks you connect can be in the same, or different, Azure regions.<br>
+Network security groups (NSGs) are the primary tool for filtering network traffic within virtual networks. Understanding how NSG's work with virtual networks is essential:
 
-## Communicate with on-premises resources<br>
+- **Network security groups**: Contain multiple inbound and outbound security rules that filter traffic to and from resources by source and destination IP address, port, and protocol
+- **Subnet-level protection**: Apply NSGs to subnets to control all traffic entering or leaving that subnet
+- **Network interface-level protection**: Apply NSGs to individual network interfaces for granular control
+- **Network virtual appliances**: Deploy specialized virtual machines (VMs) that perform advanced network functions such as firewalls or WAN optimization
 
-You can connect your on-premises computers and networks to a virtual network using any of the following options:
+## Virtual networks and availability zones
 
- -  **Point-to-site virtual private network (VPN)**: Established between a virtual network and a single computer in your network. Each computer that wants to establish connectivity with a virtual network must configure its connection. This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet.<br>
- -  **Site-to-site VPN**: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. This connection type enables any on-premises resource that you authorize to access a virtual network. The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.<br>
- -  **Azure ExpressRoute**: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic doesn't go over the internet.<br>
-
-## Filter network traffic<br>
-
-You can filter network traffic between subnets using either or both of the following options:
-
- -  **Network security groups**: Network security groups and application security groups can contain **multiple inbound and outbound security rules**. These rules enable you to **filter traffic to and from resources by source and destination IP address**, **port**, and **protocol**.<br>
- -  **Network virtual appliances**: A network virtual appliance is a VM that performs a network function, such as a **firewall**, **Wide-Area Network (WAN) optimization**, or **other network function**.<br>
-
-## Route network traffic<br>
-
-Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. You can implement either or both of the following options to override the default routes Azure creates:
-
- -  **Route tables**: You can create custom route tables with routes that control where traffic is routed to for each subnet.<br>
- -  **Border gateway protocol (BGP) routes**: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises Border Gateway Protocol (BGP) routes to your virtual networks.<br>
-
-## Virtual network integration for Azure services<br>
-
-Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. You can integrate Azure services in your virtual network with the following options:
-
- -  Deploying dedicated instances of the service into a virtual network. The services can then be privately accessed within the virtual network and from on-premises networks.<br>
- -  Using Private Link to access privately a specific instance of the service from your virtual network and from on-premises networks.<br>
- -  You can also access the service using public endpoints by extending a virtual network to the service, through service endpoints. Service endpoints allow service resources to be secured to the virtual network.<br>
-
-## Azure Virtual Network limits<br>
-
-There are certain limits around the number of Azure resources you can deploy. Most Azure networking limits are at the maximum values. However, you can increase certain networking limits as specified on the virtual network limits page.
-
-## Virtual networks and availability zones<br>
-
-Virtual networks and subnets span all availability zones in a region. You don't need to divide them by availability zones to accommodate zonal resources. For example, if you configure a zonal VM, you don't have to take into consideration the virtual network when selecting the availability zone for the VM. The same is true for other zonal resources.
+Virtual networks and subnets span all availability zones in a region. When you deploy resources across availability zones for high availability, the same network security rules apply consistently, simplifying security management while maintaining resilience.