I'm having some difficulties when creating a VNET/Subnet. I'm also making use of ASE and for that I can only use a Classic VNET.
Azure offers two types of VNET. Depending on how you create it (via Azure Portal, xplat-cli, old portal, powershell) this VNET can be "Classic" (indicated by the "<...>" icon in blue) or "Resource Manager (indicated by the icon "<...>" in green).
As far I can see, it doesn't seems possible to assign a NSG to a Classic VNET. Does it means that I cannot have a NSG over my ASE (because ASE can only be created ontop of Classic VNETs) ? This doesn't seems right..
Assuming you use Powershell, Set-AzureNetworkSecurityGroupToSubnet cmdlet in service management mode will associate a NSG to a subnet.
Update:
PS> Switch-AzureMode AzureServiceManagement
PS> (Get-AzureVNetSite -VNetName "Group vnetnsg vnetnsg").Subnets
Name AddressPrefix ExtensionData
---- ------------- -------------
default 10.0.0.0/24
subnet-1 10.0.1.0/24
PS> New-AzureNetworkSecurityGroup -Name "NsgOnSubnet" -Location "West Europe"
Name Location Label
---- -------- -----
NsgOnSubnet West Europe
PS> Set-AzureNetworkSecurityGroupToSubnet -Name NsgOnSubnet -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"
PS> Get-AzureNetworkSecurityGroupAssociation -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"
Name Location Label
---- -------- -----
NsgOnSubnet West Europe