0
0
Azurecloud~5 mins

NSG rules (inbound, outbound) in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Network Security Group (NSG) rules control the flow of network traffic to and from resources in Azure. They help protect your applications by allowing or blocking specific inbound and outbound traffic based on rules.
When you want to allow web traffic (HTTP/HTTPS) to your virtual machine from the internet.
When you need to block all inbound traffic except from a trusted IP range.
When you want to restrict outbound traffic from your VM to only specific ports or addresses.
When you want to allow SSH access only from your office IP to your Linux VM.
When you want to prevent your VM from accessing the internet except for specific services.
Config File - nsg-rules.json
nsg-rules.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-05-01",
      "name": "example-nsg",
      "location": "eastus",
      "properties": {
        "securityRules": [
          {
            "name": "AllowHTTPInbound",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 100,
              "direction": "Inbound"
            }
          },
          {
            "name": "AllowSSHInbound",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "22",
              "sourceAddressPrefix": "203.0.113.0/24",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 200,
              "direction": "Inbound"
            }
          },
          {
            "name": "DenyAllOutbound",
            "properties": {
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Deny",
              "priority": 300,
              "direction": "Outbound"
            }
          }
        ]
      }
    }
  ]
}

This JSON file defines an Azure Network Security Group named example-nsg in the eastus region.

It has three rules:

  • AllowHTTPInbound: Allows inbound TCP traffic on port 80 from any source.
  • AllowSSHInbound: Allows inbound TCP traffic on port 22 only from the IP range 203.0.113.0/24.
  • DenyAllOutbound: Denies all outbound traffic regardless of protocol or port.

Each rule has a priority number; lower numbers have higher priority.

Commands
Create a new Network Security Group named example-nsg in the example-rg resource group in the eastus region.
Terminal
az network nsg create --resource-group example-rg --name example-nsg --location eastus
Expected OutputExpected
{ "NewNSG": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Network/networkSecurityGroups/example-nsg", "location": "eastus", "name": "example-nsg", "resourceGroup": "example-rg", "securityRules": [], "type": "Microsoft.Network/networkSecurityGroups" } }
--resource-group - Specifies the resource group where the NSG will be created
--name - Names the NSG
--location - Sets the Azure region for the NSG
Add an inbound rule to allow TCP traffic on port 80 from any source to the NSG.
Terminal
az network nsg rule create --resource-group example-rg --nsg-name example-nsg --name AllowHTTPInbound --priority 100 --direction Inbound --access Allow --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 80
Expected OutputExpected
{ "name": "AllowHTTPInbound", "priority": 100, "direction": "Inbound", "access": "Allow", "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "80" }
--priority - Sets the rule priority; lower numbers are higher priority
--direction - Specifies if the rule applies to inbound or outbound traffic
--access - Allows or denies traffic matching the rule
Add an inbound rule to allow SSH (port 22) only from the IP range 203.0.113.0/24.
Terminal
az network nsg rule create --resource-group example-rg --nsg-name example-nsg --name AllowSSHInbound --priority 200 --direction Inbound --access Allow --protocol Tcp --source-address-prefixes 203.0.113.0/24 --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22
Expected OutputExpected
{ "name": "AllowSSHInbound", "priority": 200, "direction": "Inbound", "access": "Allow", "protocol": "Tcp", "sourceAddressPrefix": "203.0.113.0/24", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "22" }
--source-address-prefixes - Limits traffic source to specified IP range
Add an outbound rule to deny all traffic from resources associated with this NSG.
Terminal
az network nsg rule create --resource-group example-rg --nsg-name example-nsg --name DenyAllOutbound --priority 300 --direction Outbound --access Deny --protocol '*' --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges '*'
Expected OutputExpected
{ "name": "DenyAllOutbound", "priority": 300, "direction": "Outbound", "access": "Deny", "protocol": "*", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "*" }
--direction - Outbound rules control traffic leaving the resource
--access - Deny blocks matching traffic
View the current rules and settings of the example-nsg to verify the rules were added correctly.
Terminal
az network nsg show --resource-group example-rg --name example-nsg
Expected OutputExpected
{ "name": "example-nsg", "resourceGroup": "example-rg", "securityRules": [ { "name": "AllowHTTPInbound", "priority": 100, "direction": "Inbound", "access": "Allow", "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "80" }, { "name": "AllowSSHInbound", "priority": 200, "direction": "Inbound", "access": "Allow", "protocol": "Tcp", "sourceAddressPrefix": "203.0.113.0/24", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "22" }, { "name": "DenyAllOutbound", "priority": 300, "direction": "Outbound", "access": "Deny", "protocol": "*", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*", "destinationPortRange": "*" } ] }
--resource-group - Specifies the resource group of the NSG
--name - Specifies the NSG name to show
Key Concept

If you remember nothing else from this pattern, remember: NSG rules control who can talk to your resources and where your resources can talk, by allowing or blocking specific traffic directions and ports.

Common Mistakes
Setting the same priority number for multiple rules
Azure requires unique priorities; duplicate priorities cause errors or unexpected rule application.
Assign a unique priority number to each NSG rule, with lower numbers having higher priority.
Using '*' for sourceAddressPrefix when you want to restrict access
Using '*' allows traffic from anywhere, which can expose your resource to unwanted access.
Specify exact IP ranges or service tags to limit traffic sources for better security.
Not verifying NSG rules after creation
Without verification, you might miss misconfigurations that block needed traffic or leave security holes.
Always use 'az network nsg show' or portal to confirm your rules are correctly applied.
Summary
Create an NSG to group network security rules for your Azure resources.
Add inbound and outbound rules with specific priorities, directions, protocols, and IP ranges.
Verify the NSG rules to ensure your traffic is allowed or blocked as intended.