Managing Network Security Group Rules

This guide covers the essential operations for managing Network Security Group (NSG) rules in Azure, ensuring granular control over network traffic to and from your Azure resources.

Understanding NSG Rule Components

Each NSG rule consists of several key components:

Name: A unique, descriptive name for the rule.
Priority: An integer between 100 and 4096. Lower numbers indicate higher priority. Rules are processed in priority order.
Source: Specifies the origin of the traffic. Can be an IP address, CIDR block, service tag, or application security group.
Source Port Ranges: The port or range of ports for the source traffic.
Destination: Specifies the destination of the traffic. Similar options to Source.
Destination Port Ranges: The port or range of ports for the destination traffic.
Protocol: The protocol of the traffic (TCP, UDP, ICMP, or Any).
Direction: Whether the rule applies to incoming (Inbound) or outgoing (Outbound) traffic.
Action: Whether to Allow or Deny the traffic matching the rule.

Creating a New NSG Rule

You can create NSG rules using the Azure portal, Azure CLI, or Azure PowerShell. Here’s an example using the Azure CLI to allow SSH (port 22) from a specific IP address to a subnet:


az network nsg rule create \
  --resource-group MyResourceGroup \
  --nsg-name MyNsg \
  --name AllowSSHInbound \
  --priority 300 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-address-prefixes "203.0.113.0/24" \
  --source-port-ranges "*" \
  --destination-address-prefixes "*" \
  --destination-port-ranges 22

Modifying an Existing NSG Rule

To modify a rule, you typically update its properties. For instance, changing the priority or source IP range.

Remember that changing a rule’s priority can significantly affect network traffic flow due to the order of rule evaluation.


az network nsg rule update \
  --resource-group MyResourceGroup \
  --nsg-name MyNsg \
  --name AllowSSHInbound \
  --priority 310 \
  --source-address-prefixes "198.51.100.0/24"

Deleting an NSG Rule

Deleting a rule is straightforward. Ensure you understand the impact of removing a rule before proceeding.


az network nsg rule delete \
  --resource-group MyResourceGroup \
  --nsg-name MyNsg \
  --name AllowSSHInbound

Best Practices for Managing NSG Rules

Use Descriptive Names: Make it easy to understand the purpose of each rule.
Organize by Priority: Group related rules and maintain a logical order. Avoid large gaps in priority numbers.
Leverage Service Tags: Use Azure service tags (e.g., VirtualNetwork, AzureLoadBalancer) instead of specific IP addresses when possible. This simplifies management as Azure updates the IP ranges for these services.
Implement Least Privilege: Only allow the specific traffic that is necessary. Deny all by default and explicitly allow required traffic.
Regularly Audit Rules: Review your NSG rules periodically to ensure they are still relevant and adhere to your security policies. Remove any outdated or unnecessary rules.
Use Network Security Groups at Different Scopes: Apply NSGs to subnets and/or network interfaces for layered security.

Important Consideration: Default Rules

Every NSG comes with a set of default rules. These rules cannot be deleted but their priority can be adjusted if necessary. Be aware of these default rules (e.g., AllowVnetInBound, DenyAllInBound) as they form the baseline for your network security.

Advanced Scenarios

Application Security Groups (ASGs): Group VMs with similar network security configurations, simplifying rule creation.
Azure Firewall Integration: For more complex network security requirements, consider integrating with Azure Firewall.

For more in-depth information, please refer to the official Azure Network Security Group documentation.