Configure Network Security Groups (NSG)
Network Security Groups (NSGs) allow you to filter inbound and outbound traffic to Azure resources. This guide walks you through creating an NSG, defining security rules, and associating the NSG with subnets or network interfaces.
Prerequisites
- Azure subscription with Contributor rights.
- A virtual network already deployed.
- Azure CLI 2.0+ or Azure PowerShell installed, or use Azure Portal.
Step 1 – Create an NSG
Using Azure CLI:
az network nsg create \
--resource-group MyResourceGroup \
--name MyNSG \
--location eastusUsing Azure PowerShell:
New-AzNetworkSecurityGroup -ResourceGroupName "MyResourceGroup" `
-Location "EastUS" -Name "MyNSG"Step 2 – Add Security Rules
Example: Allow SSH (port 22) from a specific IP address.
az network nsg rule create \
--resource-group MyResourceGroup \
--nsg-name MyNSG \
--name Allow-SSH \
--protocol Tcp \
--direction Inbound \
--priority 1000 \
--source-address-prefixes 203.0.113.0/24 \
--source-port-ranges "*" \
--destination-address-prefixes "*" \
--destination-port-ranges 22 \
--access AllowPowerShell equivalent:
New-AzNetworkSecurityRuleConfig -Name "Allow-SSH" `
-Description "Allow SSH from office" `
-Access Allow -Protocol Tcp -Direction Inbound `
-Priority 1000 -SourceAddressPrefix "203.0.113.0/24" `
-SourcePortRange "*" -DestinationAddressPrefix "*" `
-DestinationPortRange 22 | `
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgStep 3 – Associate NSG with a Subnet
az network vnet subnet update \
--resource-group MyResourceGroup \
--vnet-name MyVNet \
--name MySubnet \
--network-security-group MyNSGPowerShell:
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "MySubnet" -VirtualNetwork $vnet
$subnet.NetworkSecurityGroup = $nsg
Set-AzVirtualNetwork -VirtualNetwork $vnetStep 4 – Verify the Configuration
az network nsg show --resource-group MyResourceGroup --name MyNSG
Tip: Use descriptive names and comment fields for each rule to simplify future audits.
Common NSG Rule Patterns
| Purpose | Priority | Protocol | Port(s) | Direction |
|---|---|---|---|---|
| Allow RDP from corporate VPN | 100 | Tcp | 3389 | Inbound |
| Deny All Internet Inbound | 4096 | * | * | Inbound |
| Allow HTTP/HTTPS Outbound | 200 | Tcp | 80,443 | Outbound |