learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:480:b90::3544
Public Scan
Submitted URL: https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal#cha...
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal
Submission: On October 28 via api from US — Scanned from DE
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal
Submission: On October 28 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
Name: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-2-listbox" aria-controls="ax-2-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-2-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-0">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-0" data-test-id="ax-0" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-describedby="ms--ax-0-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-0-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="ax-0-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power Automate
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Development languages
* C++
* C#
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Azure
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
* More
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
Portal Free account
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Virtual Network documentation
* Overview
* Quickstarts
* Create virtual network - Portal
* Create virtual network - PowerShell
* Create virtual network - Azure CLI
* Create virtual network - Bicep
* Create virtual network - ARM template
* Create virtual network - Terraform
* Tutorials
* Concepts
* How-to guides
* Plan and configure
* Connectivity
* Security
* Create virtual network with encryption
* Network isolation
* Manage DDoS protection
* Onboard partners to DDoS Protection
* Manage network security groups
* Security scenarios
* VM networking
* Move across regions
* Troubleshoot
* DHCP server on Azure Virtual Machine
* Monitor virtual network
* Classic deployment
* Migrate from classic to Resource Manager
* Reference
* Resources
Download PDF
1. Learn
2. Azure
3. Networking
4. Virtual Network
1. Learn
2. Azure
3. Networking
4. Virtual Network
Read in English Save
* Add to Collections
* Add to Plan
Table of contents Read in English Add to Collections Add to Plan Edit
--------------------------------------------------------------------------------
SHARE VIA
Facebook x.com LinkedIn Email
--------------------------------------------------------------------------------
Print
Table of contents
CREATE, CHANGE, OR DELETE A NETWORK SECURITY GROUP
* Article
* 09/26/2024
* 24 contributors
Feedback
IN THIS ARTICLE
1. Prerequisites
2. Work with network security groups
3. Work with security rules
4. Work with application security groups
5. Permissions
6. Related content
Show 2 more
When you use security rules in network security groups (NSGs), you can filter
the type of network traffic that flows in and out of virtual network subnets and
network interfaces. To learn more about NSGs, see Network security group
overview. Next, complete the Filter network traffic tutorial to gain some
experience with NSGs.
PREREQUISITES
If you don't have an Azure account with an active subscription, create one for
free. Complete one of these tasks before you start the remainder of this
article:
* Portal users: Sign in to the Azure portal with your Azure account.
* PowerShell users: Either run the commands in Azure Cloud Shell or run
PowerShell locally from your computer. Cloud Shell is a free interactive
shell that you can use to run the steps in this article. It has common Azure
tools that are preinstalled and configured to use with your account. On the
Cloud Shell browser tab, find the Select environment dropdown list. Then
select PowerShell if it isn't already selected.
If you're running PowerShell locally, use Azure PowerShell module version
1.0.0 or later. Run Get-Module -ListAvailable Az.Network to find the
installed version. If you need to install or upgrade, see Install Azure
PowerShell module. Run Connect-AzAccount to sign in to Azure.
* Azure CLI users: Either run the commands in Cloud Shell or run the Azure CLI
locally from your computer. Cloud Shell is a free interactive shell that you
can use to run the steps in this article. It has common Azure tools that are
preinstalled and configured to use with your account. On the Cloud Shell
browser tab, find the Select environment dropdown list. Then select Bash if
it isn't already selected.
If you're running the Azure CLI locally, use Azure CLI version 2.0.28 or
later. Run az --version to find the installed version. If you need to install
or upgrade, see Install the Azure CLI. Run az login to sign in to Azure.
Assign the Network Contributor role or a custom role with the appropriate
permissions.
WORK WITH NETWORK SECURITY GROUPS
You can create, view all, view details of, change, and delete an NSG. You can
also associate or dissociate an NSG from a network interface or a subnet.
CREATE A NETWORK SECURITY GROUP
The number of NSGs that you can create for each Azure region and subscription is
limited. To learn more, see Azure subscription and service limits, quotas, and
constraints.
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Select Network security groups in the search results.
2. Select + Create.
3. On the Create network security group page, under the Basics tab, enter or
select the following values:
Expand table
Setting Action Project details Subscription Select your Azure subscription.
Resource group Select an existing resource group, or create a new one by
selecting Create new. This example uses the myResourceGroup resource group.
Instance details Network security group name Enter a name for the NSG that
you're creating. Region Select the region that you want.
4. Select Review + create.
5. After you see the Validation passed message, select Create.
Use New-AzNetworkSecurityGroup to create an NSG named myNSG in the East US
region. The NSG named myNSG is created in the existing myResourceGroup resource
group.
New-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup -Location eastus
Use az network nsg create to create an NSG named myNSG in the existing
myResourceGroup resource group.
az network nsg create --resource-group MyResourceGroup --name myNSG
VIEW ALL NETWORK SECURITY GROUPS
* Portal
* PowerShell
* Azure CLI
In the search box at the top of the portal, enter Network security group. Select
Network security groups in the search results to see the list of NSGs in your
subscription.
Use Get-AzNetworkSecurityGroup to list all the NSGs in your subscription.
Get-AzNetworkSecurityGroup | format-table Name, Location, ResourceGroupName, ProvisioningState, ResourceGuid
Use az network nsg list to list all the NSGs in your subscription.
az network nsg list --out table
VIEW DETAILS OF A NETWORK SECURITY GROUP
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group and
select Network security groups in the search results.
2. Select the name of your NSG.
* Under Settings, view the Inbound security rules, Outbound security rules,
Network interfaces, and Subnets to which the NSG is associated.
* Under Monitoring, enable or disable Diagnostic settings. For more
information, see Resource logging for a network security group.
* Under Help, view Effective security rules. For more information, see
Diagnose a virtual machine (VM) network traffic filter problem.
To learn more about the common Azure settings that are listed, see the following
articles:
* Activity log
* Access control identity and access management (IAM)
* Tags
* Locks
* Automation script
Use Get-AzNetworkSecurityGroup to view the details of an NSG.
Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
To learn more about the common Azure settings that are listed, see the following
articles:
* Activity log
* Access control (IAM)
* Tags
* Locks
Use az network nsg show to view the details of an NSG.
az network nsg show --resource-group myResourceGroup --name myNSG
To learn more about the common Azure settings that are listed, see the following
articles:
* Activity log
* Access control (IAM)
* Tags
* Locks
CHANGE A NETWORK SECURITY GROUP
The most common changes to an NSG are:
* Associate or dissociate a network security group to or from a network
interface
* Associate or dissociate a network security group to or from a subnet
* Create a security rule
* Delete a security rule
ASSOCIATE OR DISSOCIATE A NETWORK SECURITY GROUP TO OR FROM A NETWORK INTERFACE
For more information about the association and dissociation of an NSG, see
Associate or dissociate a network security group.
ASSOCIATE OR DISSOCIATE A NETWORK SECURITY GROUP TO OR FROM A SUBNET
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of your NSG, and then select Subnets.
* To associate an NSG to the subnet, select + Associate. Then select your
virtual network and the subnet to which you want to associate the NSG.
Select OK.
* To dissociate an NSG from the subnet, select the three dots next to the
subnet from which you want to dissociate the NSG, and then select
Dissociate. Select Yes.
Use Set-AzVirtualNetworkSubnetConfig to associate or dissociate an NSG to or
from a subnet.
## Place the virtual network configuration into a variable. ##
$virtualNetwork = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## Update the subnet configuration. ##
Set-AzVirtualNetworkSubnetConfig -Name mySubnet -VirtualNetwork $virtualNetwork -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $networkSecurityGroup
## Update the virtual network. ##
Set-AzVirtualNetwork -VirtualNetwork $virtualNetwork
Use az network vnet subnet update to associate or dissociate an NSG to or from a
subnet.
az network vnet subnet update --resource-group myResourceGroup --vnet-name myVNet --name mySubnet --network-security-group myNSG
DELETE A NETWORK SECURITY GROUP
If an NSG is associated to any subnets or network interfaces, it can't be
deleted. Dissociate an NSG from all subnets and network interfaces before you
attempt to delete it.
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the NSG that you want to delete.
3. Select Delete, and then select Yes in the confirmation dialog box.
Use Remove-AzNetworkSecurityGroup to delete an NSG.
Remove-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
Use az network nsg delete to delete an NSG.
az network nsg delete --resource-group myResourceGroup --name myNSG
WORK WITH SECURITY RULES
An NSG contains zero or more security rules. You can create, view all, view
details of, change, and delete a security rule.
CREATE A SECURITY RULE
The number of rules per NSG that you can create for each Azure location and
subscription is limited. To learn more, see Azure subscription and service
limits, quotas, and constraints.
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of the NSG to which you want to add a security rule.
3. Select Inbound security rules or Outbound security rules.
Several existing rules are listed, including some that you might not have
added. When you create an NSG, several default security rules are created in
it. To learn more, see Default security rules. You can't delete default
security rules, but you can override them with rules that have a higher
priority.
4. Select + Add. Select or add values for the following settings, and then
select Add.
Expand table
Setting Value Details Source One of:
* Any
* IP Addresses
* My IP address
* Service Tag
* Application security group
If you select IP Addresses, you must also specify Source IP addresses/CIDR
ranges.
If you select Service Tag, you must also select a Source service tag.
If you select Application security group, you must also select an existing
application security group. If you select Application security group for
both Source and Destination, the network interfaces within both application
security groups must be in the same virtual network. Learn how to create an
application security group.
Source IP addresses/CIDR ranges A comma-delimited list of IP addresses and
Classless Interdomain Routing (CIDR) ranges
This setting appears if you set Source to IP Addresses. You must specify a
single value or comma-separated list of multiple values. An example of
multiple values is 10.0.0.0/16, 192.188.1.1. The number of values that you
can specify is limited. For more information, see Azure limits.
If the IP address that you specify is assigned to an Azure VM, specify its
private IP address, not its public IP address. Azure processes security
rules after it translates the public IP address to a private IP address for
inbound security rules, but before it translates a private IP address to a
public IP address for outbound rules. To learn more about IP addresses in
Azure, see Public IP addresses and Private IP addresses.
Source service tag A service tag from the dropdown list This setting appears
if you set Source to Service Tag for a security rule. A service tag is a
predefined identifier for a category of IP addresses. To learn more about
available service tags, and what each tag represents, see Service tags.
Source application security group An existing application security group
This setting appears if you set Source to Application security group. Select
an application security group that exists in the same region as the network
interface. Learn how to create an application security group. Source port
ranges One of:
* A single port, such as 80
* A range of ports, such as 1024-65535
* A comma-separated list of single ports and/or port ranges, such as 80,
1024-65535
* An asterisk (*) to allow traffic on any port
This setting specifies the ports on which the rule allows or denies traffic.
The number of ports that you can specify is limited. For more information,
see Azure limits. Destination One of:
* Any
* IP Addresses
* Service Tag
* Application security group
If you select IP Addresses, you must also specify Destination IP
addresses/CIDR ranges.
If you select Service Tag, you must also select a Destination service tag.
If you select Application security group, you must also select an existing
application security group. If you select Application security group for
both Source and Destination, the network interfaces within both application
security groups must be in the same virtual network. Learn how to create an
application security group.
Destination IP addresses/CIDR ranges A comma-delimited list of IP addresses
and CIDR ranges
This setting appears if you change Destination to IP Addresses. You can
specify single or multiple addresses or ranges like you can do with Source
and Source IP addresses/CIDR ranges. The number that you can specify is
limited. For more information, see Azure limits.
If the IP address that you specify is assigned to an Azure VM, ensure that
you specify its private IP, not its public IP address. Azure processes
security rules after it translates the public IP address to a private IP
address for inbound security rules, but before Azure translates a private IP
address to a public IP address for outbound rules. To learn more about IP
addresses in Azure, see Public IP addresses and Private IP addresses.
Destination service tag A service tag from the dropdown list This setting
appears if you set Destination to Service Tag for a security rule. A service
tag is a predefined identifier for a category of IP addresses. To learn more
about available service tags, and what each tag represents, see Service
tags. Destination application security group An existing application
security group This setting appears if you set Destination to Application
security group. Select an application security group that exists in the same
region as the network interface. Learn how to create an application security
group. Service A destination protocol from the dropdown list This setting
specifies the destination protocol and port range for the security rule. You
can select a predefined service, like RDP, or select Custom and provide the
port range in Destination port ranges. Destination port ranges One of:
* A single port, such as 80
* A range of ports, such as 1024-65535
* A comma-separated list of single ports and/or port ranges, such as 80,
1024-65535
* An asterisk (*) to allow traffic on any port
As with Source port ranges, you can specify single or multiple ports and
ranges. The number that you can specify is limited. For more information,
see Azure limits. Protocol Any, TCP, UDP, or ICMP You can restrict the rule
to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or
Internet Control Message Protocol (ICMP). The default is for the rule to
apply to all protocols (Any). Action Allow or Deny This setting specifies
whether this rule allows or denies access for the supplied source and
destination configuration. Priority A value between 100 and 4,096 that's
unique for all security rules within the NSG Azure processes security rules
in priority order. The lower the number, the higher the priority. We
recommend that you leave a gap between priority numbers when you create
rules, such as 100, 200, and 300. Leaving gaps makes it easier to add rules
in the future so that you can give them higher or lower priority than
existing rules. Name A unique name for the rule within the NSG The name can
be up to 80 characters. It must begin with a letter or number, and it must
end with a letter, number, or underscore. The name can contain only letters,
numbers, underscores, periods, or hyphens. Description A text description
You can optionally specify a text description for the security rule. The
description can't be longer than 140 characters.
Use Add-AzNetworkSecurityRuleConfig to create an NSG rule.
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## Create the security rule. ##
Add-AzNetworkSecurityRuleConfig -Name RDP-rule -NetworkSecurityGroup $networkSecurityGroup `
-Description "Allow RDP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 300 `
-SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
## Updates the network security group. ##
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup
Use az network nsg rule create to create an NSG rule.
az network nsg rule create --resource-group myResourceGroup --nsg-name myNSG --name RDP-rule --priority 300 \
--destination-address-prefixes '*' --destination-port-ranges 3389 --protocol Tcp --description "Allow RDP"
VIEW ALL SECURITY RULES
An NSG contains zero or more rules. To learn more about the list of information
when you view the rules, see Security rules.
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of the NSG for which you want to view the rules.
3. Select Inbound security rules or Outbound security rules.
The list contains any rules that you created and the default security rules
of your NSG.
Use Get-AzNetworkSecurityRuleConfig to view the security rules of an NSG.
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## List security rules of the network security group in a table. ##
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup | format-table Name, Protocol, Access, Priority, Direction, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix
Use az network nsg rule list to view the security rules of an NSG.
az network nsg rule list --resource-group myResourceGroup --nsg-name myNSG
VIEW THE DETAILS OF A SECURITY RULE
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of the NSG for which you want to view the rules.
3. Select Inbound security rules or Outbound security rules.
4. Select the rule for which you want to view details. For an explanation of
all settings, see Security rule settings.
Note
This procedure applies only to a custom security rule. It doesn't work if
you choose a default security rule.
Use Get-AzNetworkSecurityRuleConfig to view the details of a security rule.
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## View details of the security rule. ##
Get-AzNetworkSecurityRuleConfig -Name RDP-rule -NetworkSecurityGroup $networkSecurityGroup
Note
This procedure applies only to a custom security rule. It doesn't work if you
choose a default security rule.
Use az network nsg rule show to view the details of a security rule.
az network nsg rule show --resource-group myResourceGroup --nsg-name myNSG --name RDP-rule
Note
This procedure applies only to a custom security rule. It doesn't work if you
choose a default security rule.
CHANGE A SECURITY RULE
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of the NSG for which you want to view the rules.
3. Select Inbound security rules or Outbound security rules.
4. Select the rule that you want to change.
5. Change the settings as needed, and then select Save. For an explanation of
all settings, see Security rule settings.
Note
This procedure applies only to a custom security rule. You aren't allowed to
change a default security rule.
Use Set-AzNetworkSecurityRuleConfig to update an NSG rule.
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## Make changes to the security rule. ##
Set-AzNetworkSecurityRuleConfig -Name RDP-rule -NetworkSecurityGroup $networkSecurityGroup `
-Description "Allow RDP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
-SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
## Updates the network security group. ##
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup
Note
This procedure applies only to a custom security rule. You aren't allowed to
change a default security rule.
Use az network nsg rule update to update an NSG rule.
az network nsg rule update --resource-group myResourceGroup --nsg-name myNSG --name RDP-rule --priority 200
Note
This procedure applies only to a custom security rule. You aren't allowed to
change a default security rule.
DELETE A SECURITY RULE
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Network security group.
Then select Network security groups in the search results.
2. Select the name of the NSG for which you want to view the rules.
3. Select Inbound security rules or Outbound security rules.
4. Select the rules that you want to delete.
5. Select Delete, and then select Yes.
Note
This procedure applies only to a custom security rule. You aren't allowed to
delete a default security rule.
Use Remove-AzNetworkSecurityRuleConfig to delete a security rule from an NSG.
## Place the network security group configuration into a variable. ##
$networkSecurityGroup = Get-AzNetworkSecurityGroup -Name myNSG -ResourceGroupName myResourceGroup
## Remove the security rule. ##
Remove-AzNetworkSecurityRuleConfig -Name RDP-rule -NetworkSecurityGroup $networkSecurityGroup
## Updates the network security group. ##
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup
Note
This procedure applies only to a custom security rule. You aren't allowed to
change a default security rule.
Use az network nsg rule delete to delete a security rule from an NSG.
az network nsg rule delete --resource-group myResourceGroup --nsg-name myNSG --name RDP-rule
Note
This procedure applies only to a custom security rule. You aren't allowed to
change a default security rule.
WORK WITH APPLICATION SECURITY GROUPS
An application security group contains zero or more network interfaces. To learn
more, see Application security groups. All network interfaces in an application
security group must exist in the same virtual network. To learn how to add a
network interface to an application security group, see Add a network interface
to an application security group.
CREATE AN APPLICATION SECURITY GROUP
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Application security
group. Then select Application security groups in the search results.
2. Select + Create.
3. On the Create an application security group page, under the Basics tab,
enter or select the following values:
Expand table
Setting Action Project details Subscription Select your Azure subscription.
Resource group Select an existing resource group, or create a new one by
selecting Create new. This example uses the myResourceGroup resource group.
Instance details Name Enter a name for the application security group that
you're creating. Region Select the region in which you want to create the
application security group.
4. Select Review + create.
5. After you see the Validation passed message, select Create.
Use New-AzApplicationSecurityGroup to create an application security group.
New-AzApplicationSecurityGroup -ResourceGroupName myResourceGroup -Name myASG -Location eastus
Use az network asg create to create an application security group.
az network asg create --resource-group myResourceGroup --name myASG --location eastus
VIEW ALL APPLICATION SECURITY GROUPS
* Portal
* PowerShell
* Azure CLI
In the search box at the top of the portal, enter Application security group.
Then select Application security groups in the search results. A list of your
application security groups appears in the Azure portal.
Use Get-AzApplicationSecurityGroup to list all the application security groups
in your Azure subscription.
Get-AzApplicationSecurityGroup | format-table Name, ResourceGroupName, Location
Use az network asg list to list all the application security groups in a
resource group.
az network asg list --resource-group myResourceGroup --out table
VIEW THE DETAILS OF A SPECIFIC APPLICATION SECURITY GROUP
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Application security
group. Then select Application security groups in the search results.
2. Select the application security group for which you want to view the
details.
Use Get-AzApplicationSecurityGroup to view the details of an application
security group.
Get-AzApplicationSecurityGroup -Name myASG
Use az network asg show to view the details of an application security group.
az network asg show --resource-group myResourceGroup --name myASG
CHANGE AN APPLICATION SECURITY GROUP
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Application security
group. Then select Application security groups in the search results.
2. Select the application security group that you want to change:
* Select move next to Resource group or Subscription to change the resource
group or subscription, respectively.
* Select edit next to Tags to add or remove tags. To learn more, see Use
tags to organize your Azure resources and management hierarchy.
Note
You can't change the location of an application security group.
* Select Access control (IAM) to assign or remove permissions to the
application security group.
You can't change an application security group by using PowerShell.
Use az network asg update to update the tags for an application security group.
az network asg update --resource-group myResourceGroup --name myASG --tags Dept=Finance
Note
You can't change the resource group, subscription, or location of an application
security group by using the Azure CLI.
DELETE AN APPLICATION SECURITY GROUP
You can't delete an application security group if it contains any network
interfaces. To remove all network interfaces from the application security
group, either change the network interface settings or delete the network
interfaces. To learn more, see Add or remove from application security groups or
Delete a network interface.
* Portal
* PowerShell
* Azure CLI
1. In the search box at the top of the portal, enter Application security
group. Then select Application security groups in the search results.
2. Select the application security group that you want to delete.
3. Select Delete, and then select Yes to delete the application security group.
Use Remove-AzApplicationSecurityGroup to delete an application security group.
Remove-AzApplicationSecurityGroup -ResourceGroupName myResourceGroup -Name myASG
Use az network asg delete to delete an application security group.
az network asg delete --resource-group myResourceGroup --name myASG
PERMISSIONS
To manage NSGs, security rules, and application security groups, your account
must be assigned to the Network Contributor role. You can also use a custom role
with the appropriate permissions assigned, as listed in the following tables.
Note
You might not see the full list of service tags if the Network Contributor role
was assigned at a resource group level. To view the full list, you can assign
this role at a subscription scope instead. If you can only allow the Network
Contributor role for the resource group, you can then also create a custom role
for the permissions Microsoft.Network/locations/serviceTags/read and
Microsoft.Network/locations/serviceTagDetails/read. Assign them at a
subscription scope along with the Network Contributor role at the resource group
scope.
NETWORK SECURITY GROUP
Expand table
Action Name Microsoft.Network/networkSecurityGroups/read Get an NSG.
Microsoft.Network/networkSecurityGroups/write Create or update an NSG.
Microsoft.Network/networkSecurityGroups/delete Delete an NSG.
Microsoft.Network/networkSecurityGroups/join/action Associate an NSG to a subnet
or network interface.
Note
To perform write operations on an NSG, the subscription account must have at
least read permissions for the resource group along with
Microsoft.Network/networkSecurityGroups/write permission.
NETWORK SECURITY GROUP RULE
Expand table
Action Name Microsoft.Network/networkSecurityGroups/securityRules/read Get a
rule. Microsoft.Network/networkSecurityGroups/securityRules/write Create or
update a rule. Microsoft.Network/networkSecurityGroups/securityRules/delete
Delete a rule.
APPLICATION SECURITY GROUP
Expand table
Action Name
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action Join an
IP configuration to an application security group.
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action Join
a security rule to an application security group.
Microsoft.Network/applicationSecurityGroups/read Get an application security
group. Microsoft.Network/applicationSecurityGroups/write Create or update an
application security group. Microsoft.Network/applicationSecurityGroups/delete
Delete an application security group.
RELATED CONTENT
* Add or remove a network interface to or from an application security group.
* Create and assign Azure Policy definitions for virtual networks.
--------------------------------------------------------------------------------
FEEDBACK
Was this page helpful?
Yes No
Provide product feedback |
Get help at Microsoft Q&A
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Configure network security groups - Training
Learn how to implement network security groups, and ensure network security
group rules are correctly applied.
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Configure network security groups - Training
Learn how to implement network security groups, and ensure network security
group rules are correctly applied.
IN THIS ARTICLE
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024