Here is a quick example of using Network Security Group (NSG) within Microsoft Azure to protect your workload. In terms of design perspective you would setup a Virtual Network and then attach a large address space. This would then be carved into smaller subnets for various workload like Internet facing traffic, middle-tier applications and back-end applications. To control the traffic flow and enable security you can apply multiple NSG’s. The effect would be as per diagram.
Note: Always check https://azure.microsoft.com for up to date information