How to open ports to a virtual machine with the Azure portal

You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or VM network interface. You place these filters, which control both inbound and outbound traffic, on a Network Security Group attached to the resource that receives the traffic.

Let's use a common example of web traffic on port 80. Once you have a VM that is configured to serve web requests on the standard TCP port 80 (remember to start the appropriate services and open any OS firewall rules on the VM as well), you:

  1. Create a Network Security Group.
  2. Create an inbound rule allowing traffic with:
    • the destination port range of "80"
    • the source port range of "*" (allowing any source port)
    • a priority value of less 65,500 (to be higher in priority than the default catch-all deny inbound rule)
  3. Associate the Network Security Group with the VM network interface or subnet.

You can create complex network configurations to secure your environment using Network Security Groups and rules. Our example uses only one or two rules that allow HTTP traffic or remote management. For more information, see the following 'More Information' section or What is a Network Security Group?

Quick commands

You can also perform these steps using Azure PowerShell.

First, create your Network Security Group. Select a resource group in the portal, choose Add, then search for and select Network security group:

Add a Network Security Group

Enter a name for your Network Security Group, select or create a resource group, and select a location. Select Create when finished:

Create a Network Security Group

Select your new Network Security Group. Select 'Inbound security rules', then select the Add button to create a rule:

Add an inbound rule

To create a rule that allows traffic:

  • Select the Basic button. By default, the Advanced window provides some additional configuration options, such as to define a specific source IP block or port range.
  • Choose a common Service from the drop-down menu, such as HTTP. You can also select Custom to provide a specific port to use.
  • If desired, change the priority or name. The priority affects the order in which rules are applied - the lower the numerical value, the earlier the rule is applied.
  • When you are ready, select OK to create the rule:

Create an inbound rule

Your final step is to associate your Network Security Group with a subnet or a specific network interface. Let's associate the Network Security Group with a subnet. Select Subnets, then choose Associate:

Associate a Network Security Group with a subnet

Select your virtual network, and then select the appropriate subnet:

Associating a Network Security Group with virtual networking

You have now created a Network Security Group, created an inbound rule that allows traffic on port 80, and associated it with a subnet. Any VMs you connect to that subnet are reachable on port 80.

More information on Network Security Groups

The quick commands here allow you to get up and running with traffic flowing to your VM. Network Security Groups provide many great features and granularity for controlling access to your resources. You can read more about creating a Network Security Group and ACL rules here.

For highly available web applications, you should place your VMs behind an Azure Load Balancer. The load balancer distributes traffic to VMs, with a Network Security Group that provides traffic filtering. For more information, see How to load balance Linux virtual machines in Azure to create a highly available application.

Next steps

In this example, you created a simple rule to allow HTTP traffic. You can find information on creating more detailed environments in the following articles: