Currently the production vNet is a /20. This has been broken into 2 segments of /24’s at the moment, one for standard production VMs, the other for the DMZ.
A new /28 subnet will be created within the same vNet. This allows for 11 IP addreses to be assigned (Microsoft Reserve 5 addresses for backend). 11 IP’s is over the requirement of what we need, however the next option is 3, which is under our requirements.
Network Security Group
The NSG we use is assigned at subnet level. I do not tend to use them directly onto the network cards unless we are trying to lock down the VM from what would be the equivalent of Layer 2 devices.
We allow ports: 25,42,135,137,139,389,636,88,53,445,9389,5722,464,123,138,67,1024-5000,49152-65535
To domain controllers that are specified in the Destination IP range