Create, change, or delete a network security group

When you use security rules in network security groups (NSGs), you can filter the type of network traffic that flows in and out of virtual network subnets and network interfaces. To learn more about NSGs, see Network security group overview. Next, complete the Filter network traffic tutorial to gain some experience with NSGs.

Prerequisites

If you don't have an Azure account with an active subscription, create a trial account. Complete one of these tasks before starting the remainder of this article:

  • Portal users: Sign in to the Azure portal with your Azure account.

  • PowerShell users: Run PowerShell locally from your computer.

    If you're running PowerShell locally, use Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az.Network to find the installed version. If you need to install or upgrade, see Install Azure PowerShell module. Run Connect-AzAccount -Environment AzureChinaCloud to sign in to Azure.

  • Azure CLI users: Run Azure CLI locally from your computer.

    If you're running the Azure CLI locally, use Azure CLI version 2.0.28 or later. Run az --version to find the installed version. If you need to install or upgrade, see Install the Azure CLI. Run az login to sign in to Azure.

Assign the Network Contributor role or a custom role with the appropriate permissions.

Work with network security groups

You can create, view all, view details of, change, and delete an NSG. You can also associate or dissociate an NSG from a network interface or a subnet.

Create a network security group

The number of NSGs that you can create for each Azure region and subscription is limited. To learn more, see Azure subscription and service limits, quotas, and constraints.

Use New-AzNetworkSecurityGroup to create an NSG named myNSG in the China North 3 region. The NSG named myNSG is created in the existing myResourceGroup resource group.

# Define parameters for the new network security group
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
    Location          = "eastus"
}

# Create the network security group
New-AzNetworkSecurityGroup @NSGParams

View all network security groups

Use Get-AzNetworkSecurityGroup to list all the NSGs in your subscription.

Get-AzNetworkSecurityGroup | format-table Name, Location, ResourceGroupName, ProvisioningState, ResourceGuid

View details of a network security group

Use Get-AzNetworkSecurityGroup to view the details of an NSG.

# Define parameters for the network security group
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Retrieve the network security group
Get-AzNetworkSecurityGroup @NSGParams

To learn more about the common Azure settings that are listed, see the following articles:

Change a network security group

The most common changes to an NSG are:

Associate or dissociate a network security group to or from a network interface

For more information about the association and dissociation of an NSG, see Associate or dissociate a network security group.

Associate or dissociate a network security group to or from a subnet

Use Set-AzVirtualNetworkSubnetConfig to associate or dissociate an NSG to or from a subnet.

# Define parameters for the virtual network and subnet configuration
$VNetParams = @{
    Name              = "myVNet"
    ResourceGroupName = "myResourceGroup"
}
$SubnetParams = @{
    Name              = "mySubnet"
    AddressPrefix     = "10.0.0.0/24"
    NetworkSecurityGroup = $networkSecurityGroup
}

# Retrieve the virtual network
$virtualNetwork = Get-AzVirtualNetwork @VNetParams

# Update the subnet configuration
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork @SubnetParams

# Update the virtual network
Set-AzVirtualNetwork -VirtualNetwork $virtualNetwork

Delete a network security group

If an NSG is associated to any subnets or network interfaces, it can't be deleted. Dissociate an NSG from all subnets and network interfaces before you attempt to delete it.

Use Remove-AzNetworkSecurityGroup to delete an NSG.

# Define parameters for the network security group to be removed
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Remove the network security group
Remove-AzNetworkSecurityGroup @NSGParams

Work with security rules

An NSG contains zero or more security rules. You can create, view all, view details of, change, and delete a security rule.

Create a security rule

The number of rules per NSG that you can create for each Azure location and subscription is limited. To learn more, see Azure subscription and service limits, quotas, and constraints.

Use Add-AzNetworkSecurityRuleConfig to create an NSG rule.

# Define parameters for the network security group and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name                 = "RDP-rule"
    Description          = "Allow RDP"
    Access               = "Allow"
    Protocol             = "Tcp"
    Direction            = "Inbound"
    Priority             = 300
    SourceAddressPrefix  = "*"
    SourcePortRange      = "*"
    DestinationAddressPrefix = "*"
    DestinationPortRange = 3389
}

# Retrieve the network security group
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Add the security rule to the network security group
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the network security group
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Duplicate security rules

To duplicate existing security rules, you can export the JSON of the existing NSG, extract the securityRules, and include it in your ARM template.

  1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

  2. Select the name of the NSG for which you want to duplicate the rules.

  3. In the NSG's Overview page, expand the Essentials section and select the JSON View link on the far right.

  4. In the Resource JSON half-pane, find "properties". Within "properties", find "securityRules". Copy the full object of the security rule or rules you want to duplicate.

  5. In the search box at the top of the portal, enter Deploy a custom template and select it in the search results.

  6. In the Custom deployment page, select Build your own template in the editor.

  7. In the Edit template page, specify the existing NSG where you want to duplicate the rules to through its name and location. Within the "properties" -> "securityRules" of the NSG, paste the copied security rule object or objects.

  8. Select Save. Select the desired subscription, resource group, and region, then select Review + create.


View all security rules

An NSG contains zero or more rules. To learn more about the list of information when you view the rules, see Security rules.

Use Get-AzNetworkSecurityRuleConfig to view the security rules of an NSG.

# Define parameters for the network security group
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Retrieve the network security group
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# List security rules of the network security group in a table
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup | Format-Table Name, Protocol, Access, Priority, Direction, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix

View the details of a security rule

Use Get-AzNetworkSecurityRuleConfig to view the details of a security rule.

# Define parameters for the network security group and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name = "RDP-rule"
}

# Retrieve the network security group
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# View details of the security rule
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

Note

This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

Change a security rule

Use Set-AzNetworkSecurityRuleConfig to update an NSG rule.

# Define parameters for the network security group and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name                 = "RDP-rule"
    Description          = "Allow RDP"
    Access               = "Allow"
    Protocol             = "Tcp"
    Direction            = "Inbound"
    Priority             = 200
    SourceAddressPrefix  = "*"
    SourcePortRange      = "*"
    DestinationAddressPrefix = "*"
    DestinationPortRange = 3389
}

# Retrieve the network security group
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Update the security rule in the network security group
Set-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the network security group
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Note

This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

Delete a security rule

Use Remove-AzNetworkSecurityRuleConfig to delete a security rule from an NSG.

# Define parameters for the network security group and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name = "RDP-rule"
}

# Retrieve the network security group
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Remove the security rule from the network security group
Remove-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the network security group
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Note

This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

Work with application security groups

An application security group contains zero or more network interfaces. To learn more, see Application security groups. All network interfaces in an application security group must exist in the same virtual network. To learn how to add a network interface to an application security group, see Add a network interface to an application security group.

Create an application security group

Use New-AzApplicationSecurityGroup to create an application security group.

# Define parameters for the new application security group
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
    Location          = "eastus"
}

# Create the application security group
New-AzApplicationSecurityGroup @ASGParams

View all application security groups

Use Get-AzApplicationSecurityGroup to list all the application security groups in your Azure subscription.

Get-AzApplicationSecurityGroup | format-table Name, ResourceGroupName, Location

View the details of a specific application security group

Use Get-AzApplicationSecurityGroup to view the details of an application security group.

Get-AzApplicationSecurityGroup -Name myASG

Change an application security group

# Define parameters for the application security group
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
}

# Retrieve the application security group
$applicationSecurityGroup = Get-AzApplicationSecurityGroup @ASGParams

New-AzTag -ResourceId $applicationSecurityGroup.Id -Tag @{ Dept = "Finance" }

Delete an application security group

You can't delete an application security group if it contains any network interfaces. To remove all network interfaces from the application security group, either change the network interface settings or delete the network interfaces. To learn more, see Add or remove from application security groups or Delete a network interface.

Use Remove-AzApplicationSecurityGroup to delete an application security group.

# Define parameters for the application security group to be removed
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
}

# Remove the application security group
Remove-AzApplicationSecurityGroup @ASGParams

Permissions

To manage NSGs, security rules, and application security groups, your account must be assigned to the Network Contributor role. You can also use a custom role with the appropriate permissions assigned, as listed in the following tables.

Note

You might not see the full list of service tags if the Network Contributor role was assigned at a resource group level. To view the full list, you can assign this role at a subscription scope instead. If you can only allow the Network Contributor role for the resource group, you can then also create a custom role for the permissions Microsoft.Network/locations/serviceTags/read and Microsoft.Network/locations/serviceTagDetails/read. Assign them at a subscription scope along with the Network Contributor role at the resource group scope.

Network security group

Action Name
Microsoft.Network/networkSecurityGroups/read Get an NSG.
Microsoft.Network/networkSecurityGroups/write Create or update an NSG.
Microsoft.Network/networkSecurityGroups/delete Delete an NSG.
Microsoft.Network/networkSecurityGroups/join/action Associate an NSG to a subnet or network interface.

Note

To perform write operations on an NSG, the subscription account must have at least read permissions for the resource group along with Microsoft.Network/networkSecurityGroups/write permission.

Network security group rule

Action Name
Microsoft.Network/networkSecurityGroups/securityRules/read Get a rule.
Microsoft.Network/networkSecurityGroups/securityRules/write Create or update a rule.
Microsoft.Network/networkSecurityGroups/securityRules/delete Delete a rule.

Application security group

Action Name
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action Join an IP configuration to an application security group.
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action Join a security rule to an application security group.
Microsoft.Network/applicationSecurityGroups/read Get an application security group.
Microsoft.Network/applicationSecurityGroups/write Create or update an application security group.
Microsoft.Network/applicationSecurityGroups/delete Delete an application security group.