Our organization is re-evaluating our Azure security model for a large-scale application migration. We’ve traditionally used network segmentation with NSGs and VNet peering to isolate tiers (web/app/data), but leadership is pushing toward Zero Trust architecture.
The Zero Trust approach emphasizes identity-based access over network location, which sounds great in theory, but I’m concerned about practical implementation. Our current NSG-based model is straightforward - web tier can only talk to app tier, app tier to data tier, everything else denied. Moving to Zero Trust seems to require managed identities, conditional access policies, and potentially rearchitecting how services authenticate.
Looking for real-world experiences: Has anyone transitioned from traditional network segmentation to Zero Trust in Azure? How do the two models compare for micro-segmentation and maintaining security posture?
You don’t have to choose one or the other - they’re complementary. We kept NSGs for network-level defense but added identity-based access on top. NSGs prevent lateral movement if a VM is compromised, while managed identities ensure legitimate services authenticate properly. Think defense in depth rather than replacement.
The identity-based approach requires more upfront work but pays off long-term. We migrated 40 applications over 6 months. Key changes: every service got a managed identity, all service-to-service calls use Azure AD tokens, and we implemented conditional access policies that check device compliance and sign-in risk. NSGs still exist but they’re more permissive now since identity handles the real access control. The benefit is we can enforce MFA and device checks even for internal service calls.
The hybrid approach makes sense. How do you handle the operational overhead? Seems like identity-based policies require more ongoing management than static NSG rules.