Introduction
After explaining the basics of Azure networking in my previous blog, I will continue with the possibilities that are available in Azure to secure your network.
Network Security Group (NSG)

One of the first things that you want to create is a network security group, often shortened by NSG. A network security group is an access control list that filters network traffic to and from Azure resources (source). A network security group contains a list of security rules that allows or denies access to an Azure resource. Network Security Groups can be associated to either a Network Interface Card (NIC) or a subnet within a virtual network (VNET). What would be best is up to you, but in my humble opinion you should have a network security group at the subnet level, and here is why. When securing a network, you want to have the layer of security as close to the endpoint as you can see in option 1.

This means that, when securing a virtual machine in Azure, you need the security at the virtual machine’s network interface card. When you have only one server in Azure this is a good solution, but when having 10 or more you need to maintain a NSG per virtual server. So, in order to have some overview and reduce the time to manage the network security groups, create a network security group at subnet level as you can see in option 2. There is no network security group at the GatewaySubnet because this is not supported. By creating a network security group at subnet level, you will reduce the management and get a cleaner environment. To keep the rules limited in these security groups, you can use application security groups.
Application Security Group (ASG)

The way how I see application security groups is kinda like tags. These tags should be set on a virtual machine at the networking tab (see picture). The application security group that you want to set should be in the same region as the network interface. The great thing about application security groups is that when you have multiple virtual machines providing the same functionality, you can group them in the same application security group. For example, when you have two or more web servers running in a virtual network. A common scenario is that web servers need ports to be opened in the Network Security Group like TCP 443 for a secure web connection. When you add application security groups to these servers, you have to create only one ASG rule within the Network Security Group and you can add multiple virtual machine afterwards without editing the Network Security Group
Conclusion
Always create Network Security Groups on at least subnet level and use Application Security Groups when you combine virtual machines with the same purpose.
Useful links