Skip to Content
AzureNetwork Security Groups

Network Security Groups

Network Security Groups (NSGs) filter inbound and outbound traffic for Azure resources. Rules are evaluated by priority — lower numbers are evaluated first. The first matching rule wins.

Key Concepts

  • Inbound rules — control traffic arriving at the resource or subnet
  • Outbound rules — control traffic leaving the resource or subnet
  • Priority — range 100–4096; lower = higher priority
  • Default rules — Azure adds default allow/deny rules at priority 65000–65500 that cannot be deleted
  • Association — NSGs can be associated with a subnet, a NIC, or both

Create an NSG

New-AzNetworkSecurityGroup `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "nsg-app-prod" `
  -Location "uksouth"

Add Inbound Rules

$nsg = Get-AzNetworkSecurityGroup `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "nsg-app-prod"
 
# Allow HTTPS from anywhere
$nsg | Add-AzNetworkSecurityRuleConfig `
  -Name "Allow-HTTPS-Inbound" `
  -Priority 100 `
  -Direction Inbound `
  -Access Allow `
  -Protocol Tcp `
  -DestinationPortRange 443 `
  -SourceAddressPrefix "*" `
  -SourcePortRange "*" `
  -DestinationAddressPrefix "*"
 
# Allow SSH from a specific IP only
$nsg | Add-AzNetworkSecurityRuleConfig `
  -Name "Allow-SSH-Office" `
  -Priority 110 `
  -Direction Inbound `
  -Access Allow `
  -Protocol Tcp `
  -DestinationPortRange 22 `
  -SourceAddressPrefix "203.0.113.10" `
  -SourcePortRange "*" `
  -DestinationAddressPrefix "*"
 
# Deny all other inbound traffic
$nsg | Add-AzNetworkSecurityRuleConfig `
  -Name "Deny-All-Inbound" `
  -Priority 4000 `
  -Direction Inbound `
  -Access Deny `
  -Protocol "*" `
  -DestinationPortRange "*" `
  -SourceAddressPrefix "*" `
  -SourcePortRange "*" `
  -DestinationAddressPrefix "*"
 
# Save changes
$nsg | Set-AzNetworkSecurityGroup

Add Outbound Rules

$nsg = Get-AzNetworkSecurityGroup `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "nsg-app-prod"
 
$nsg | Add-AzNetworkSecurityRuleConfig `
  -Name "Deny-Mgmt-Outbound" `
  -Priority 200 `
  -Direction Outbound `
  -Access Deny `
  -Protocol "*" `
  -DestinationPortRange "*" `
  -SourceAddressPrefix "*" `
  -SourcePortRange "*" `
  -DestinationAddressPrefix "10.0.10.0/24"
 
$nsg | Set-AzNetworkSecurityGroup

Associate an NSG with a Subnet

$nsg  = Get-AzNetworkSecurityGroup -ResourceGroupName "rg-network-prod-uks-01" -Name "nsg-app-prod"
$vnet = Get-AzVirtualNetwork -ResourceGroupName "rg-network-prod-uks-01" -Name "vnet-prod-uks-01"
 
Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $vnet `
  -Name "snet-app" `
  -AddressPrefix "10.0.1.0/24" `
  -NetworkSecurityGroup $nsg
 
$vnet | Set-AzVirtualNetwork

Inspect Rules

# List all rules in an NSG
$nsg = Get-AzNetworkSecurityGroup `
  -ResourceGroupName "rg-network-prod-uks-01" `
  -Name "nsg-app-prod"
 
$nsg.SecurityRules | Format-Table Name, Priority, Direction, Access, Protocol, DestinationPortRange
 
# Show effective rules applied to a NIC
Get-AzEffectiveNetworkSecurityGroup `
  -ResourceGroupName "rg-vms-prod-uks-01" `
  -NetworkInterfaceName "nic-vm-app-01"

Best Practices

  • Associate NSGs at the subnet level for broad control; use NIC-level NSGs only for exceptions
  • Use priority gaps (100, 200, 300) rather than consecutive numbers to leave room for future rules
  • Avoid Any/* source addresses for management ports (SSH, RDP) — restrict to known IPs or use Azure Bastion
  • Use service tags (e.g. AzureLoadBalancer, VirtualNetwork) instead of hardcoding IP ranges where possible
Last updated on
Virtual NetworksCheck Disk Usage