0
0
Azurecloud~7 mins

Network Security Groups (NSG) in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Network Security Groups help control traffic to and from your cloud resources by allowing or blocking network connections. They act like a security guard that decides who can enter or leave your virtual network.
When you want to allow only specific types of traffic to your virtual machines, like web traffic on port 80.
When you need to block unwanted access from the internet to your database servers.
When you want to separate different parts of your application with different security rules.
When you want to monitor and control traffic flow in your cloud network for better security.
When you want to quickly update security rules without changing your virtual machines.
Config File - nsg-template.json
nsg-template.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2022-05-01",
      "name": "example-nsg",
      "location": "eastus",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          },
          {
            "name": "DenyAllInbound",
            "properties": {
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Deny",
              "priority": 4096,
              "direction": "Inbound"
            }
          }
        ]
      }
    }
  ]
}

This JSON file is an Azure Resource Manager (ARM) template that creates a Network Security Group named example-nsg in the eastus region.

It has two rules: AllowHTTP lets inbound TCP traffic on port 80 from any source, and DenyAllInbound blocks all other inbound traffic as a fallback.

Each rule has a priority number; lower numbers have higher priority.

Commands
This command creates a new Network Security Group named example-nsg in the example-rg resource group located in eastus region.
Terminal
az network nsg create --resource-group example-rg --name example-nsg --location eastus
Expected OutputExpected
{ "NewNSG": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/networkSecurityGroups/example-nsg", "location": "eastus", "name": "example-nsg", "resourceGroup": "example-rg", "securityRules": [], "type": "Microsoft.Network/networkSecurityGroups" } }
--resource-group - Specifies the resource group where the NSG will be created
--name - Sets the name of the Network Security Group
--location - Defines the Azure region for the NSG
This command adds a rule named AllowHTTP to the example-nsg NSG to allow inbound TCP traffic on port 80 from any source.
Terminal
az network nsg rule create --resource-group example-rg --nsg-name example-nsg --name AllowHTTP --protocol Tcp --direction Inbound --priority 100 --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 80 --access Allow
Expected OutputExpected
{ "access": "Allow", "description": null, "destinationAddressPrefix": "*", "destinationPortRange": "80", "direction": "Inbound", "name": "AllowHTTP", "priority": 100, "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "provisioningState": "Succeeded" }
--priority - Sets the priority of the rule; lower numbers are higher priority
--direction - Specifies if the rule applies to inbound or outbound traffic
--access - Defines whether to allow or deny the traffic
This command adds a rule named DenyAllInbound to block all other inbound traffic not matched by higher priority rules.
Terminal
az network nsg rule create --resource-group example-rg --nsg-name example-nsg --name DenyAllInbound --protocol '*' --direction Inbound --priority 4096 --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges '*' --access Deny
Expected OutputExpected
{ "access": "Deny", "description": null, "destinationAddressPrefix": "*", "destinationPortRange": "*", "direction": "Inbound", "name": "DenyAllInbound", "priority": 4096, "protocol": "*", "sourceAddressPrefix": "*", "sourcePortRange": "*", "provisioningState": "Succeeded" }
--priority - Sets a high priority number to ensure this rule is evaluated after others
--access - Blocks the traffic
This command shows the details of the example-nsg to verify the rules are applied correctly.
Terminal
az network nsg show --resource-group example-rg --name example-nsg
Expected OutputExpected
{ "name": "example-nsg", "resourceGroup": "example-rg", "securityRules": [ { "name": "AllowHTTP", "properties": { "access": "Allow", "direction": "Inbound", "priority": 100, "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "80" } }, { "name": "DenyAllInbound", "properties": { "access": "Deny", "direction": "Inbound", "priority": 4096, "protocol": "*", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "*" } } ] }
--resource-group - Specifies the resource group of the NSG
--name - Specifies the NSG name to show details
Key Concept

If you remember nothing else from this pattern, remember: Network Security Groups control who can talk to your cloud resources by setting simple allow or deny rules based on ports, protocols, and directions.

Common Mistakes
Setting the same priority number for multiple rules
Azure requires unique priority numbers; duplicate priorities cause errors or unexpected rule evaluation.
Assign a unique priority number to each rule, with lower numbers evaluated first.
Not specifying the direction of traffic in rules
Rules without direction default to inbound or may not behave as expected, leaving traffic unfiltered.
Always specify --direction as Inbound or Outbound to clearly define the rule's scope.
Forgetting to create a deny rule for unwanted traffic
Without explicit deny rules, some traffic might be allowed by default, exposing resources.
Add a catch-all deny rule with a high priority number to block all traffic not explicitly allowed.
Summary
Create a Network Security Group to start controlling network traffic.
Add rules with specific priorities to allow or deny traffic on certain ports and protocols.
Verify the NSG and its rules to ensure your security settings are applied correctly.