Microsoft.Network networkSecurityGroups 2020-08-01

The networkSecurityGroups resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Network/networkSecurityGroups resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Network/networkSecurityGroups@2020-08-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    securityRules: [
      {
        id: 'string'
        name: 'string'
        properties: {
          access: 'string'
          description: 'string'
          destinationAddressPrefix: 'string'
          destinationAddressPrefixes: [ 'string' ]
          destinationApplicationSecurityGroups: [
            {
              id: 'string'
              location: 'string'
              properties: {}
              tags: {
                tagName1: 'tagValue1'
                tagName2: 'tagValue2'
              }
            }
          ]
          destinationPortRange: 'string'
          destinationPortRanges: [ 'string' ]
          direction: 'string'
          priority: int
          protocol: 'string'
          sourceAddressPrefix: 'string'
          sourceAddressPrefixes: [ 'string' ]
          sourceApplicationSecurityGroups: [
            {
              id: 'string'
              location: 'string'
              properties: {}
              tags: {
                tagName1: 'tagValue1'
                tagName2: 'tagValue2'
              }
            }
          ]
          sourcePortRange: 'string'
          sourcePortRanges: [ 'string' ]
        }
        type: 'string'
      }
    ]
  }
}

Property values

networkSecurityGroups

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Network/networkSecurityGroups'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2020-08-01'
name The resource name string (required)
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Network Security Group resource. NetworkSecurityGroupPropertiesFormat

NetworkSecurityGroupPropertiesFormat

Name Description Value
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Security rule resource. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access Whether network traffic is allowed or denied. 'Allow'
'Deny'
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound'
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp'
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Application security group properties. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. Dictionary of tag names and values. See Tags in templates

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Managed Azure Active Directory Domain Services

Deploy to Azure
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
App Gateway with WAF, SSL, IIS and HTTPS redirection

Deploy to Azure
This template deploys an Application Gateway with WAF, end to end SSL and HTTP to HTTPS redirect on the IIS servers.
Application Security Groups

Deploy to Azure
This template shows how to put together the pieces to secure workloads using NSGs with Application Security Groups. It will deploy a Linux VM running NGINX and through the usage of Applicaton Security Groups on Network Security Groups we will allow access to ports 22 and 80 to a VM assigned to Application Security Group called webServersAsg.
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
Deploy a Bastion host in a hub Virtual Network

Deploy to Azure
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Front Door Standard/Premium with API Management origin

Deploy to Azure
This template creates a Front Door Premium (Preview) and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.
Front Door Standard/Premium with Application Gateway origin

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) and an Application Gateway instance, and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.
Front Door with Container Instances and Application Gateway

Deploy to Azure
This template creates a Front Door Standard/Premium (Preview) with a container group and Application Gateway.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a load-balancer with a Public IPv6 address

Deploy to Azure
This template creates an Internet-facing load-balancer with a Public IPv6 address, load balancing rules, and two VMs for the backend pool.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Virtual Network NAT

Deploy to Azure
Deploy a NAT gateway and virtual machine
Apply a NSG to an existing subnet

Deploy to Azure
This template applies a newly created NSG to an existing subnet
Multi tier VNet with NSGs and DMZ

Deploy to Azure
This template deploys a Virtual Network with 3 subnets, 3 Network Security Groups and appropriate security rules to make the FrontEnd subnet a DMZ
Azure Route Server in BGP peering with Quagga

Deploy to Azure
This template deploys a Router Server and Ubuntu VM with Quagga. Two external BGP sessions are established between the Router Server and Quagga. Installation and configuration of Quagga is executed by Azure custom script extension for linux
Create a Network Security Group

Deploy to Azure
This template creates a Network Security Group
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Site-to-Site VPN with active-active VPN Gateways with BGP

Deploy to Azure
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones.
Azure Traffic Manager VM example

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines.
Azure Traffic Manager VM example with Availability Zones

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines placed in Availability Zones.
User defined routes and Appliance

Deploy to Azure
This template deploys a Virtual Network, VMs in respective subnets and routes to direct traffic to the appliance
201-vnet-2subnets-service-endpoints-storage-integration

Deploy to Azure
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet.
Add an NSG with Redis security rules to an existing subnet

Deploy to Azure
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET.