Managing Network Security Groups (NSGs)

This article provides a comprehensive guide on how to manage Network Security Groups (NSGs) in Microsoft Azure. NSGs are a fundamental component of Azure's network security infrastructure, enabling you to filter network traffic to and from Azure resources in an Azure virtual network, on-premises, and other network configurations.

Creating a Network Security Group

You can create an NSG using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. Here's a quick guide using the Azure portal:

  1. Navigate to the Azure portal and search for "Network security groups".
  2. Click "Create" to start the NSG creation process.
  3. Select your subscription, resource group, and provide a name for your NSG.
  4. Choose the region where you want to deploy the NSG.
  5. Click "Review + create" and then "Create".
Note: An NSG can be associated with a network interface (NIC) or a subnet. Associating with a subnet applies the rules to all resources within that subnet.

Associating an NSG

Once an NSG is created, you need to associate it with either a network interface (NIC) or a subnet.

To associate with a NIC:

  1. Go to the Network Interface resource in the Azure portal.
  2. Under "Settings", select "Network security group".
  3. Click "Edit" and select the desired NSG from the dropdown.
  4. Save the changes.

To associate with a Subnet:

  1. Go to the Virtual Network resource in the Azure portal.
  2. Under "Settings", select "Subnets".
  3. Click on the subnet you want to configure.
  4. In the subnet settings, select the desired NSG from the "Network security group" dropdown.
  5. Save the changes.

Configuring Security Rules

Security rules are the core of an NSG. They define inbound and outbound traffic filtering based on source and destination IP addresses, ports, and protocols. Each rule has a priority, direction (inbound/outbound), source/destination, protocol, and action (allow/deny).

Default Rules

When you create an NSG, it comes with a set of default rules:

Creating Custom Rules

Custom rules allow you to define specific traffic filtering policies.

  1. Navigate to your NSG in the Azure portal.
  2. Under "Settings", select "Inbound security rules" or "Outbound security rules".
  3. Click "Add".
  4. Fill in the rule details: source, destination, protocol, port ranges, priority, name, and action.
  5. Click "Add" to save the rule.
Tip: Use lower priority numbers for rules that you want to be evaluated first. Priorities range from 100 to 4096.

Managing Existing Rules

You can modify, delete, or change the priority of existing security rules. When modifying a rule, be mindful of its priority and ensure it doesn't conflict with other rules.

Deleting a Network Security Group

Before deleting an NSG, ensure it is not associated with any NICs or subnets. You can check associations in the NSG's overview page. After disassociating, you can proceed with deleting the NSG from the Azure portal.

Important: Deleting an NSG that is actively filtering traffic can disrupt your application's network connectivity. Always verify associations before deletion.

Best Practices for NSG Management

For more advanced configurations and detailed information on specific rule parameters, please refer to the official Azure documentation on Network Security Groups.


# Example: Create an NSG using Azure CLI
az network nsg create --resource-group MyResourceGroup --name MyNsg --location eastus

# Example: Associate an NSG with a subnet
az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVnet --name MySubnet --network-security-group MyNsg

# Example: Add an inbound security rule
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name AllowSSH --protocol Tcp --priority 200 --destination-port-range 22 --access Allow --direction Inbound