🔗
1. VNet Peering
Peering provides low-latency, private connectivity between VNets-useful for segmentation while keeping traffic inside Azure backbone.
Top 5 design recommendations
- Use hub-and-spoke peering model: hub for shared services (FW, DNS, security) and spokes per workload.
- Plan non-overlapping address spaces and define clear IP segmentation boundaries.
- Disable transitive routing in classic peering; prefer user-defined routes (UDRs) or firewall for transit control.
- Use peering with Global VNet Peering for multi-region designs and enable gateway transit only when needed.
- Tag peerings and VNets for ownership, environment and lifecycle management (automation, cleanup).
Top 5 operational best practices
- Audit peering connections and route tables regularly; log changes via Activity Log.
- Use network watchers/peer diagnostics to validate connectivity and troubleshoot MTU/latency.
- Enforce least-privilege RBAC for peering creation and modifications.
- Automate peering creation via IaC (ARM/Bicep/Terraform) with approval gates.
- Monitor cross-VNet traffic egress for cost and security (NSG, FW logs, flow logs).
🔰
2. Network Security Groups (NSG)
NSGs are the core east-west microsegmentation control - use them as first-line network filters close to NIC/subnet.
5 NSG design recommendations
- Prefer subnet-scoped NSGs for predictable policies; use NIC-scoped for exceptions only.
- Use deny-by-default model: explicit allows then minimal required ports/protocols.
- Combine NSG with Application Security Groups (ASG) instead of IP-based rules for scale and clarity.
- Enforce service tags (e.g., Storage, AzureLoadBalancer) instead of broad IP ranges when possible.
- Use descriptive rule names, priorities and tags for auditability and automation mapping.
5 NSG operational practices
- Enable NSG flow logs (via Network Watcher + Storage/Log Analytics) and review for anomalies.
- Use policy-as-code to enforce baseline NSG rules across subscriptions.
- Validate rule overlaps and priority drift during deployments; prevent unintended open ports.
- Lock down management ports (RDP/SSH) to jump boxes or Just-In-Time (JIT) via Azure Security Center.
- Regularly review NSG usage and remove stale rules; maintain CI/CD deployment templates.
💻
3. Application Security Groups (ASG)
ASGs simplify grouping of VMs by application role so NSG rules express intent, not IPs.
5 ASG recommendations
- Organize ASGs by function (web, app, db) and environment (prod, stage) for reuse.
- Reference ASGs in NSGs rather than IPs to reduce change window mistakes.
- Automate ASG membership assignment via tags, naming conventions and IaC.
- Limit ASG count per subscription/subnet and document mapping to workload diagrams.
- Use ASGs with Azure Firewall or NVA rules to map application flows end-to-end.
5 operational tips
- Audit ASG membership and NSG rules referencing them during change review.
- Use ASG-friendly naming to reflect roles and environment in telemetry and alerts.
- When scaling VMs, ensure assignment automation updates ASG membership immediately.
- Test ASG rule changes in a non-production spoke before pushing to production.
- Combine ASGs with tags and resource graph queries to build reports for compliance.
🧭
4. User Defined Routes (UDRs) & Route Control
UDRs let you steer traffic (to NGFW, NVA, or to internet via Firewall) - vital for enforcing Zero Trust perimeter/egress controls.
5 design rules for UDRs
- Centralize egress through hub firewall using UDRs (0.0.0.0/0) rather than per-spoke internet access.
- Ensure system routes to Azure services are preserved (do not override service tags routing unintentionally).
- Document route tables, priorities and the intended inspection path for audits.
- Limit propagation of UDRs that enable transit; prefer Virtual WAN/Hub transit models when at scale.
- Use next-hop to NVAs/Firewall and test for asymmetric routing before production cutover.
5 operational controls
- Track route tables assignment to subnets; use policy to prevent accidental detachments.
- Use network watcher next hop and effective routes to validate pathing after changes.
- Monitor for blackhole routes and conflicting routes introduced by peering or NVAs.
- Automate change approvals and runbook validation for route table changes.
- Maintain a rollback plan and test in a staging environment before sweeping updates.
🏛
5. Hub and Spoke Topology
Hub-and-spoke centralizes shared services (firewall, DNS, VPN) and enforces consistent security posture across spokes.
5 architecture recommendations
- Use a dedicated hub VNet for shared security services, transit and egress controls.
- Isolate workloads into spokes mapped by trust level and business unit.
- Apply routing/UDRs so traffic to/from spokes traverses hub firewall for inspection.
- Use hub to centralize identity-aware services (Azure Bastion, NVA, DNS forwarders).
- Govern spoke onboarding with template-based deployment and subscription boundaries.
5 operational recommendations
- Enforce hub security via RBAC, policy and scripted deployment; monitor hub resource consumption.
- Tag spokes and VNets for business, owner and environment to drive policy and cost allocation.
- Use health probes and monitoring for hub firewall, VPN gateways, and NVAs.
- Test failover scenarios for gateway and firewall in hub to ensure resilience.
- Document trust boundaries and ensure compliance scans on hub services persistently run.
🛰
6. Azure Virtual WAN
Virtual WAN simplifies large-scale connectivity (branch, VPN, ExpressRoute) with central hub automation and security insertion.
5 design recommendations
- Use Virtual WAN when you need global transit, scale and simplified branch connectivity.
- Choose Firewall Manager integration for centralized NGFW policies and service chaining.
- Architect hub-per-region and apply routing/policies consistently across hubs.
- Plan for explicit gateway transit options and allowRemoteGateway/UseRemoteGateway flags carefully.
- Define BGP and prefix limits before connecting multiple on-prem peers to avoid route storms.
5 operational controls
- Monitor hub health, VPN throughput and ExpressRoute circuits from the Virtual WAN hub blade.
- Use automation for branch VPN lifecycle and certificate rotation for S2S/P2S.
- Audit route propagation and BGP sessions for stale prefixes or hijacks.
- Restrict who can create Virtual WAN hubs with policy and RBAC.
- Run periodic scale and performance tests to validate SLA requirements.
🔐
7. Site-to-Site (S2S) VPN
S2S provides encrypted L3 connectivity for on-prem to Azure; treat it as a critical trust boundary with strict controls.
5 S2S design recommendations
- Use IKEv2 with strong cipher suites and rotate pre-shared keys or use certificate-based auth.
- Advertise only required prefixes; avoid broad 0.0.0.0/0 advertisements from on-prem.
- Plan active-active or active-standby gateways for resilience (ExpressRoute as an option for high throughput).
- Use BGP for dynamic routing and proper path failover; set BGP weights and prefix filters.
- Limit which subnets are reachable over the tunnel via routes/UDRs to reduce blast radius.
5 S2S operational tips
- Monitor IPSec tunnel health, latency and packet loss; set alerts for tunnel flaps.
- Validate MTU and fragmentation settings to avoid application issues.
- Keep vendor device configs in sync and version-controlled for reproducibility.
- Test rekeying and key rotation during maintenance windows to confirm continuity.
- Use diagnostic logs and packet capture (Network Watcher) for tunnel troubleshooting.
👥
8. Point-to-Site (P2S) VPN
P2S is user-level secure connectivity - use certificate or Azure AD authentication and limit access via conditional access.
5 P2S best practices
- Prefer Azure AD + certificate or OpenVPN with MFA for strong user authentication.
- Use split-tunnel carefully: prefer forced-tunnel for high-risk or compliance workloads.
- Assign route lists and NSGs to control what P2S clients can reach in VNets.
- Limit P2S to managed devices (Intune) and require device compliance signals.
- Implement session timeouts and logging for user sessions and connections.
5 operational controls
- Monitor active client count and throughput to scale gateway SKU appropriately.
- Audit and revoke client certificates periodically and on offboarding.
- Integrate P2S access with Conditional Access and device compliance signals.
- Use logging to detect unusual location or multiple concurrent sessions for same identity.
- Provide tightly-scoped access via role and NSG rules; avoid broad network exposure.
🔥
9. Azure Firewall
Stateful, cloud-native firewall for central inspection, filtering, and threat intelligence enforcement.
5 Azure Firewall design recommendations
- Place Azure Firewall in the hub with UDRs directing spoke egress through it.
- Use Threat Intelligence (allow/block list) and integrate with Sentinel for alerts.
- Design rule collections with least-privilege, explicit allow lists and prioritized rule order.
- Leverage TLS inspection where needed (see section on TLS Inspection) and balance privacy/regulatory concerns.
- Combine Firewall with Azure Front Door or App GW for layered edge protection.
5 operational best practices
- Use FQDN tags and application rules for HTTP/S instead of wide IP ranges.
- Export and centralize logs (Diagnostics -> Log Analytics) for rule hits and alerts.
- Manage rules via Firewall Manager for orchestration across multiple hubs.
- Test rules with simulated traffic and use policy-as-code pipelines for rule changes.
- Scale with Firewall autoscale for bursty traffic or choose Premium SKU for TLS-inspect and IDPS.
🔍
10. TLS Inspection and Intrusion Detection/Prevention (IDPS)
TLS inspection and IDPS reveal threats in encrypted traffic and prevent exploitation; weigh privacy, compliance and performance.
5 TLS Inspection / IDPS design recommendations
- Use Azure Firewall Premium or third-party NGFW with TLS-inspect capability for enterprise inspection.
- Define clear inspection scope (outbound to internet, internal east-west) and exclude sensitive workloads by policy.
- Plan certificate management (trusted root) and automate certificate distribution to endpoints.
- Combine IDPS signatures with threat intelligence feeds and tuned rules to reduce false positives.
- Ensure performance sizing (CPU) and latency SLAs are met; test with representative traffic.
5 operational tips
- Track IDPS alerts and tune signature sensitivity to lower noise; integrate with SIEM for alert triage.
- Monitor certificate expiration and automate replacement to avoid inspection failures.
- Log decrypted flows only where necessary and secure logs for compliance.
- Test bypass scenarios and provide documented exceptions with approvals.
- Use staged rollout: monitor in detect-only mode before blocking to measure impact.
🔁
11. NAT Rules and SNAT
NAT and SNAT manage address translation and egress identity; misconfiguration can expose internal workloads.
5 design recommendations
- Prefer managed NAT through Azure Firewall or NAT Gateway instead of VM-based SNAT where possible.
- Use static public IPs for predictable egress ranges (whitelisting partners) and avoid random SNAT churn.
- Map expected source IPs in design docs and document services that depend on egress IPs.
- Minimize directly-assigned public IPs to VMs; use load balancers/NAT gateways to centralize egress.
- Account for port exhaustion and scale NAT resources appropriately for high connection workloads.
5 operational controls
- Monitor SNAT port utilization and configure autoscale or additional NAT resources when nearing limits.
- Log source translations to help incident response identify origin hosts.
- Use tests (curl, external echo services) to validate egress IP behavior after changes.
- Automate allocation of reserved public IP prefixes to avoid drift.
- Audit direct public IP usage and enforce policies to reduce sprawl.
📜
12. Network Rules and Application Rules
Define clear network-level (IP/port) and application-level (FQDN, URL) rules in firewalls for precise control.
5 rule design recommendations
- Use application rules (FQDN) for HTTP/S traffic and network rules for non-HTTP protocols.
- Order rules by intent: deny-listed first, then allow-lists for minimal exposure.
- Group related endpoints into rule collections to simplify management and auditing.
- Use service tags and FQDN tags where appropriate to avoid brittle IP lists.
- Implement explicit logging per rule collection for forensic traceability.
5 operational recommendations
- Test rule changes in staging; monitor hits before enforcing blocks.
- Use analytics to find high-hit allow rules that could be tightened.
- Document rationale and expected impact for each allow rule to speed reviews.
- Automate rule deployment through pipelines and code reviews to prevent human errors.
- Integrate firewall logs with SIEM to detect suspicious access patterns.
🔎
13. Network Watcher and Diagnostics
Network Watcher provides visibility - connection troubleshooters, packet capture, NSG flow logs and topology are key for Zero Trust ops.
5 Network Watcher recommendations
- Enable Network Watcher per region and centralize logs in Log Analytics or Storage for analysis.
- Use connection troubleshoot and IP flow verify to triage path/NSG issues quickly.
- Schedule packet captures for complex intermittent issues and retain short windows for privacy.
- Enable NSG flow logs and analyze them to detect east-west anomalies.
- Use topology and effective routes to validate expected traffic paths after changes.
5 operational uses
- Integrate flow logs with Sentinel/Log Analytics for pivoting and alerting.
- Use automated playbooks to run diagnostics when users report connectivity failures.
- Keep a catalog of common troubleshooting commands and packet capture filters.
- Rotate and secure diagnostic data; use retention policies for compliance.
- Use proactive synthetic tests to validate connectivity SLA from critical spokes to hubs.
🖥
14. VMs, NICs and Public IPs
VM/NIC design and public IP assignment directly influence exposure - enforce least-privilege network attachment.
5 design recommendations
- Avoid assigning public IPs to VMs unless necessary; use Load Balancer or Application Gateway for inbound access.
- Use multiple NICs for separation of management vs workload traffic where required.
- Implement Just-In-Time (JIT) for management access and lock management ports via NSG.
- Use managed identities and disable local accounts for control plane security.
- Enforce encryption at rest and secure boot for VM hardening.
5 operational best practices
- Audit public IPs periodically and reclaim unused addresses; centralize allocations via NAT Gateway when possible.
- Automate NIC tagging and naming for ownership and policy scoping.
- Monitor VM NIC metrics and NSG hits for unusual inbound attempts.
- Patch VMs regularly and use image pipelines to reduce drift.
- Use VM extensions and Azure Policy to enforce VM baseline configuration.
🔐
15. Azure Private Link
Private Link enables private access to PaaS and SaaS services over the Azure backbone, reducing public ingress exposure.
5 Private Link recommendations
- Use Private Endpoints to access Azure PaaS from VNets; avoid public endpoints for sensitive data.
- Restrict network access to storage/SQL via Private Link and remove public network access when possible.
- Design DNS carefully - use Private DNS zones integrated with VNets for resolution.
- Use approval workflows for service consumer assignments to Private Link resources.
- Combine Private Link with NSG rules and Firewall to enforce egress/ingress inspection.
5 operational tips
- Monitor private endpoint connections and test DNS resolution from spokes post-deployment.
- Log Private Link access and export logs for auditing and forensic use.
- Manage lifecycle: revoke endpoints on deprovisioning and verify access ACLs.
- Use network policies and NSGs to protect the private endpoint NICs.
- Document allowed consumer VNets and review periodically for orphaned endpoints.
📛
16. Azure Private DNS
Private DNS zones are essential to resolve Private Link and internal resources without public DNS leakage.
5 Private DNS recommendations
- Create dedicated Private DNS zones for internal and PaaS endpoints and link VNets explicitly.
- Automate zone linking/unlinking during VNet onboarding/offboarding to avoid stale records.
- Use conditional forwarding to on-prem DNS for hybrid name resolution needs.
- Lock down who can modify DNS zones with RBAC and separate owner roles.
- Use DNS zones naming conventions and TTL policies appropriate to application change frequency.
5 operational tips
- Monitor DNS queries to detect exfiltration attempts and anomalous resolution patterns.
- Use auditing to see who changed records and integrate with change control.
- Test split-horizon scenarios and ensure internal resolution prefers Private DNS.
- Secure zone records by limiting write access and using deployment pipelines for changes.
- Document DNS dependencies in runbooks for incident response.
🔗
17. Private Endpoints
Private Endpoints bring service access into your VNet via NICs - treat them as first-class network resources to secure.
5 Private Endpoint recommendations
- Lock down endpoint NICs with NSGs and limit which subnets host endpoints.
- Use endpoint policies and resource-level access control (RBAC) to govern who can create endpoints.
- Apply private DNS integration so clients resolve PaaS service names to private IPs.
- Avoid multi-tenant exposures: validate Service Provider access when using cross-tenant Private Link.
- Track and remove stale endpoints when service consumers are decommissioned.
5 operational controls
- Log successful/failed connections and monitor for unusual consumer patterns.
- Automate endpoint approval workflows and tag endpoints with consumer metadata.
- Run periodic scans to detect endpoints that expose sensitive services inadvertently.
- Ensure Endpoint DNS and routing are included in disaster recovery plans.
- Use policy to enforce private endpoint creation only in approved subnets.
🔁
18. Private Link Service (PLS)
PLS lets you publish your service privately to other VNets/tenants via private link connections; secure exposure is critical.
5 design recommendations
- Restrict which consumer subscriptions/tenants can connect; use approval workflows for consumer requests.
- Place PLS in isolated subnets and protect with NSGs; monitor inbound consumer traffic carefully.
- Define service quotas and scale targets to avoid resource exhaustion from malicious or accidental floods.
- Use mutual authentication and service-layer authorization in addition to network controls.
- Maintain clear documentation: consumer inventory, access justification and SLA expectations.
5 operational controls
- Rotate credentials and certificates for the PLS endpoints periodically.
- Monitor consumer connections, throughput and error rates to detect misuse.
- Use alerts for abnormal connection patterns and automated throttling where supported.
- Enforce least-privilege access and remove consumer permissions on deprovisioning.
- Perform penetration testing on the published service surface during change windows.
🔁
19. Application Gateway (App GW)
App GW provides L7 load-balancing, WAF (web application firewall) capabilities and is a key layer for Zero Trust edge controls.
5 design recommendations
- Use App GW V2 with autoscale and WAF v2 policy for production web workloads.
- Enable WAF policies with tuned rulesets and custom exclusions to reduce false positives.
- Combine App GW with Azure Front Door for global edge + regional WAF enforcement.
- Integrate with Private Link or internal load balancing for non-public web apps.
- Design subnets dedicated to App GW with route and NSG controls to limit lateral exposure.
5 operational practices
- Monitor WAF logs and tune rules; funnel alerts into SIEM for application-level threat hunting.
- Test WAF policy changes in detection mode before blocking to avoid service disruption.
- Use certificate management automation (Key Vault) for TLS certificates used by App GW.
- Monitor backend health probes and scale settings to avoid overload-related failures.
- Apply change control and runbook for breaking changes to routing and listener configs.
🌐
20. Azure Front Door
Front Door provides global edge routing, WAF and DDoS protection for cloud-native apps - combine with App GW for layered defense.
5 Front Door recommendations
- Use Front Door Premium for advanced WAF, private origins and enhanced routing controls.
- Place origin validation (managed private endpoints or IP allow-list) to reduce origin exposure.
- Leverage caching and health probes to improve resilience and reduce origin load.
- Configure WAF custom rules for app-specific patterns and bot management capabilities.
- Integrate with DDoS Protection Standard and monitor global traffic anomalies.
5 operational practices
- Validate origin access restrictions after Front Door changes and test failover scenarios.
- Monitor WAF rule hits and front-end metrics for sudden traffic spikes.
- Use bot protection features and telemetry to block abusive clients.
- Automate certificate renewal for TLS and use managed certs where possible.
- Audit routing configuration regularly to avoid unintentionally exposing internal origins.
🧭
21. Azure Traffic Manager and DNS
Traffic Manager provides DNS-based traffic routing (priority, performance, geo) - useful for global failover and distribution.
5 Traffic Manager recommendations
- Choose routing method based on objective: failover/priority for DR, performance for latency optimization.
- Use Traffic Manager for DNS-level health checks; align with origin health probes to avoid split-brain.
- Combine with Front Door or CDN for global performance plus regional failover strategies.
- Ensure TTL values balance failover speed and DNS churn/caching.
- Secure management access to DNS zones and use RBAC/audit for changes.
5 operational tips
- Monitor DNS failover events and ensure failback procedures are tested.
- Keep DNS records synchronized with infrastructure automation and CI/CD pipelines.
- Use diagnostic logs for Traffic Manager to troubleshoot unexpected routing behavior.
- Document global vs local DNS records and TTL rationale for operations teams.
- Validate geo-based routing with sampling tests from targeted regions.
⚖
22. Azure Load Balancer
Load Balancer provides L4 distribution and is fundamental for scaling stateless services and NAT scenarios.
5 design recommendations
- Choose Standard SKU for production: zone-redundant, private and public with more predictable behavior.
- Plan health probes and backend pools carefully; use probe ports distinct from application ports where necessary.
- Document inbound NAT rules and reserved static public IPs usage for predictable egress/ingress.
- Leverage Load Balancer outbound rules with NAT Gateway to scale SNAT resources.
- Architect for zones and cross-zone redundancy where SLA requires.
5 operational tips
- Monitor probe failures and backend health metrics to detect load imbalances quickly.
- Automate infrastructure changes and run pre-deployment checks on probe reachability.
- Use telemetry to detect connection storms or port exhaustion on backend VMs.
- Maintain clear mapping between LB rules and application endpoints for troubleshooting.
- Test failover scenarios across availability zones to validate continuity.
🚪
23. Transit, Allow Gateway Transit and Use Remote Gateway
Gateway transit flags (allowGatewayTransit/useRemoteGateway) control whether a VNet consumes another's gateway - essential for hub transit design.
5 design recommendations
- Only enable allowGatewayTransit on hub peerings and useRemoteGateway on spokes that must use hub gateway.
- Avoid transitive routing through peering; make transit explicit via UDRs and firewall/NVA enforcement.
- Use virtual WAN or Azure Firewall Manager for large-scale transit rather than ad-hoc gateway transit flags.
- Document which VNets are allowed to use hub gateways and why; automate checks to avoid drift.
- Limit gateway SKUs and capacity planning to match aggregated spoke demand.
5 operational tips
- Audit peering flags regularly to prevent unintended gateway sharing.
- Use effective routes and next hop diagnostics to validate traffic pathing through the hub gateway.
- Monitor gateway CPU, throughput and tunnel counts to avoid capacity issues from multiple spokes.
- Test failover and rekey behavior for spoke-to-hub connectivity during maintenance windows.
- Use RBAC to restrict who can toggle allowGatewayTransit/useRemoteGateway settings.
🌐
24. URL Filtering, IDS/IPS and Threat Intelligence
Blocking known-bad URLs and enabling IDS/IPS reduces exposure to web-based threats - integrate with threat feeds and SIEM.
5 design recommendations
- Use URL filtering in Azure Firewall/Application Gateway WAF or NGFW to block malicious domains and categories.
- Enable IDS/IPS (Azure Firewall Premium or partner) with tuned rules to reduce false positives.
- Integrate threat intelligence (auto-block) to quickly mitigate known malicious endpoints.
- Combine URL filtering with DNS-layer protection to block at multiple layers.
- Implement explicit allow-lists for critical service integrations to prevent accidental blockages.
5 operational practices
- Monitor blocked URL hits and false positives; provide a fast-track review and exception process.
- Use SIEM to correlate IDS/IPS events with user/device identity for root-cause analysis.
- Keep threat intelligence feeds updated and tune auto-block settings based on business risk appetite.
- Periodically review allowed categories and update filters for new business services.
- Test URL filtering impact on CI/CD pipelines and service endpoints to avoid disruption.
🛠
25. Troubleshooting Examples and PowerShell Commands (Network)
Practical triage steps and Graph/Az/Net cmdlets to diagnose common networking issues in Azure.
Troubleshooting checklist (common network failures)
- VMs can't reach an internal PaaS endpoint - check Private Endpoint health, Private DNS resolution, effective routes and NSG flow logs (Network Watcher IP flow verify).
- Spoke cannot reach internet after UDR change - inspect effective routes, next hop, and NAT gateway configuration; verify Firewall SNAT pool and egress UDRs.
- VPN tunnel flapping or BGP not converging - review gateway diagnostics, BGP peer status, pre-shared keys/certificates and MTU settings on on-prem device.
- Firewall blocking legitimate traffic - check rule hit counts, application/FQDN rules, TLS inspection exceptions and WAF logs; test in detect mode to gather hits.
- DNS resolution inconsistent between regions - validate Private DNS zone links, conditional forwarding, and Front Door origin DNS vs Private Link resolution paths.
PowerShell / Azure CLI snippets (network-focused)
Note: run these with least-privilege accounts and test in a pilot subscription first.
# Login (Az module)
Connect-AzAccount
# List VNets and address spaces
Get-AzVirtualNetwork | Select-Object ResourceGroupName,Name,Location,AddressSpace
# Show peering status for a VNet
Get-AzVirtualNetworkPeering -VirtualNetworkName "vnet-name" -ResourceGroupName "rg-name" | Format-Table Name,PeeringState,AllowGatewayTransit,UseRemoteGateways
# Get effective routes for a NIC's subnet (via Network Watcher)
Get-AzEffectiveRouteTable -NetworkInterfaceId "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/networkInterfaces/{nic}"
# NSG rules and flow logs
Get-AzNetworkSecurityGroup -ResourceGroupName "rg" -Name "nsg-name" | Select-Object -ExpandProperty SecurityRules
# Enable NSG flow logs (example)
Set-AzNetworkWatcherConfigFlowLog -NetworkSecurityGroupId "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/networkSecurityGroups/{nsg}"
-Enabled $true -StorageId "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{sa}" -RetentionDays 30
# Check Azure Firewall rules hit counts (logs via Log Analytics recommended)
# List Azure Firewall public IPs and SKU
Get-AzPublicIpAddress -ResourceGroupName "rg" | Where-Object {$_.IpConfiguration -and $_.Sku -like "*Firewall*"}
# VPN gateway troubleshooting: show connections
Get-AzVirtualNetworkGatewayConnection -ResourceGroupName "rg" | Format-Table Name,ConnectionStatus,IngressBytes,EGressBytes
# Private Endpoint list and connection state
Get-AzPrivateEndpoint -ResourceGroupName "rg" | Select-Object Name,PrivateLinkServiceConnections
# Validate DNS resolution from a VM (run in VM via run-command)
Invoke-AzVMRunCommand -ResourceGroupName "rg" -Name "vmname" -CommandId 'RunShellScript' -ScriptString 'nslookup storageaccount.blob.core.windows.net'
Tip: pilot changes in a segmented test tenant, collect logs (FW, NSG flow, Network Watcher), and keep audit-ready exports of route tables, peerings and firewall rules.
This article was originally published on 2025-NOV-16 and last reviewed on 2025-NOV-18.