Create, change, or delete a network security group
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. To learn more about network security groups, see Network security group overview. Next, complete the Filter network traffic tutorial to gain some experience with network security groups.
Before you begin
Note
This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
If you don't have one, set up an Azure account with an active subscription. Create an account for free. Complete one of these tasks before starting the remainder of this article:
Portal users: Sign in to the Azure portal with your Azure account.
PowerShell users: Either run the commands in the Azure Cloud Shell, or run PowerShell from your computer. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. In the Azure Cloud Shell browser tab, find the Select environment dropdown list, then pick PowerShell if it isn't already selected.
If you're running PowerShell locally, use Azure PowerShell module version 1.0.0 or later. Run
Get-Module -ListAvailable Az.Network
to find the installed version. If you need to upgrade, see Install Azure PowerShell module. RunConnect-AzAccount
to create a connection with Azure.Azure Command-line interface (CLI) users: Either run the commands in the Azure Cloud Shell, or run the CLI from your computer. Use Azure CLI version 2.0.28 or later if you're running the Azure CLI locally. Run
az --version
to find the installed version. If you need to install or upgrade, see Install Azure CLI. Runaz login
to create a connection with Azure.
The account you log into, or connect to Azure with must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate actions listed in Permissions.
Work with network security groups
You can create, view all, view details of, change, and delete a network security group. You can also associate or dissociate a network security group from a network interface or subnet.
Create a network security group
There's a limit to how many network security groups you can create for each Azure location and subscription. To learn more, see Azure subscription and service limits, quotas, and constraints.
On the Azure portal menu or from the Home page, select Create a resource.
Select Networking, then select Network security group.
In the Create network security group page, under the Basics tab, set values for the following settings:
Setting Action Subscription Choose your subscription. Resource group Choose an existing resource group, or select Create new to create a new resource group. Name Enter a unique text string within a resource group. Region Choose the location you want. Select Review + create.
After you see the Validation passed message, select Create.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg create |
PowerShell | New-AzNetworkSecurityGroup |
View all network security groups
Go to the Azure portal to view your network security groups. Search for and select Network security groups. The list of network security groups appears for your subscription.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg list |
PowerShell | Get-AzNetworkSecurityGroup |
View details of a network security group
Go to the Azure portal to view your network security groups. Search for and select Network security groups.
Select the name of your network security group.
In the menu bar of the network security group, under Settings, you can view the Inbound security rules, Outbound security rules, Network interfaces, and Subnets that the network security group is associated to.
Under Monitoring, you can enable or disable Diagnostic settings. Under Support + troubleshooting, you can view Effective security rules. To learn more, see Diagnostic logging for a network security group and Diagnose a VM network traffic filter problem.
To learn more about the common Azure settings listed, see the following articles:
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg show |
PowerShell | Get-AzNetworkSecurityGroup |
Change a network security group
Go to the Azure portal to view your network security groups. Search for and select Network security groups.
Select the name of the network security group you want to change.
The most common changes are to add a security rule, remove a rule, and associate or dissociate a network security group to or from a subnet or network interface.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg update |
PowerShell | Set-AzNetworkSecurityGroup |
Associate or dissociate a network security group to or from a subnet or network interface
To associate a network security group to, or dissociate a network security group from a network interface, see Associate a network security group to, or dissociate a network security group from a network interface. To associate a network security group to, or dissociate a network security group from a subnet, see Change subnet settings.
Delete a network security group
If a network security group is associated to any subnets or network interfaces, it can't be deleted. Dissociate a network security group from all subnets and network interfaces before attempting to delete it.
Go to the Azure portal to view your network security groups. Search for and select Network security groups.
Select the name of the network security group you want to delete.
In the network security group's toolbar, select Delete. Then select Yes in the confirmation dialog box.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg delete |
PowerShell | Remove-AzNetworkSecurityGroup |
Work with security rules
A network security group contains zero or more security rules. You can create, view all, view details of, change, and delete a security rule.
Create a security rule
There's a limit to how many rules per network security group you can create for each Azure location and subscription. To learn more, see Azure subscription and service limits, quotas, and constraints.
Go to the Azure portal to view your network security groups. Search for and select Network security groups.
Select the name of the network security group you want to add a security rule to.
In the network security group's menu bar, choose Inbound security rules or Outbound security rules.
Several existing rules are listed, including some you may not have added. When you create a network security group, several default security rules are created in it. To learn more, see default security rules. You can't delete default security rules, but you can override them with rules that have a higher priority.
Select Add. Select or add values for the following settings, and then select OK:
Setting Value Details Source One of: - Any
- IP Addresses
- Service Tag (inbound security rule) or VirtualNetwork (outbound security rule)
- Application security group
If you choose IP Addresses, you must also specify Source IP addresses/CIDR ranges.
If you choose Service Tag, you may also pick a Source service tag.
If you choose Application security group, you must also pick an existing application security group. If you choose Application security group for both Source and Destination, the network interfaces within both application security groups must be in the same virtual network.
Source IP addresses/CIDR ranges A comma-delimited list of IP addresses and Classless Interdomain Routing (CIDR) ranges This setting appears if you change Source to IP Addresses. You must specify a single value or comma-separated list of multiple values. An example of multiple values is
10.0.0.0/16, 192.188.1.1
. There are limits to the number of values you can specify. For more details, see Azure limits.If the IP address you specify is assigned to an Azure VM, specify its private IP address, not its public IP address. Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before it translates a private IP address to a public IP address for outbound rules. To learn more about public and private IP addresses in Azure, see IP address types.
Source service tag A service tag from the dropdown list This optional setting appears if you set Source to Service Tag for an inbound security rule. A service tag is a predefined identifier for a category of IP addresses. To learn more about available service tags, and what each tag represents, see Service tags. Source application security group An existing application security group This setting appears if you set Source to Application security group. Select an application security group that exists in the same region as the network interface. Learn how to create an application security group. Source port ranges One of: - A single port, such as
80
- A range of ports, such as
1024-65535
- A comma-separated list of single ports and/or port ranges, such as
80, 1024-65535
- An asterisk (
*
) to allow traffic on any port
This setting specifies the ports on which the rule allows or denies traffic. There are limits to the number of ports you can specify. For more details, see Azure limits. Destination One of: - Any
- IP Addresses
- Service Tag (outbound security rule) or VirtualNetwork (inbound security rule)
- Application security group
If you choose IP addresses, then also specify Destination IP addresses/CIDR ranges.
If you choose VirtualNetwork, traffic is allowed to all IP addresses within the virtual network's address space. VirtualNetwork is a service tag.
If you select Application security group, you must then select an existing application security group. Learn how to create an application security group.
Destination IP addresses/CIDR ranges A comma-delimited list of IP addresses and CIDR ranges This setting appears if you change Destination to IP Addresses. Similar to Source and Source IP addresses/CIDR ranges, you can specify single or multiple addresses or ranges. There are limits to the number you can specify. For more details, see Azure limits.
If the IP address you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before Azure translates a private IP address to a public IP address for outbound rules. To learn more about public and private IP addresses in Azure, see IP address types.
Destination service tag A service tag from the dropdown list This optional setting appears if you change Destination to Service Tag for an outbound security rule. A service tag is a predefined identifier for a category of IP addresses. To learn more about available service tags, and what each tag represents, see Service tags. Destination application security group An existing application security group This setting appears if you set Destination to Application security group. Select an application security group that exists in the same region as the network interface. Learn how to create an application security group. Destination port ranges One of: - A single port, such as
80
- A range of ports, such as
1024-65535
- A comma-separated list of single ports and/or port ranges, such as
80, 1024-65535
- An asterisk (
*
) to allow traffic on any port
As with Source port ranges, you can specify single or multiple ports and ranges. There are limits to the number you can specify. For more details, see Azure limits. Protocol Any, TCP, UDP, or ICMP You may restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). The default is for the rule to apply to all protocols. Action Allow or Deny This setting specifies whether this rule allows or denies access for the supplied source and destination configuration. Priority A value between 100 and 4096 that's unique for all security rules within the network security group Azure processes security rules in priority order. The lower the number, the higher the priority. We recommend that you leave a gap between priority numbers when you create rules, such as 100, 200, and 300. Leaving gaps makes it easier to add rules in the future, so that you can give them higher or lower priority than existing rules. Name A unique name for the rule within the network security group The name can be up to 80 characters. It must begin with a letter or number, and it must end with a letter, number, or underscore. The name may contain only letters, numbers, underscores, periods, or hyphens. Description A text description You may optionally specify a text description for the security rule. The description cannot be longer than 140 characters.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg rule create |
PowerShell | New-AzNetworkSecurityRuleConfig |
View all security rules
A network security group contains zero or more rules. To learn more about the information listed when viewing rules, see Network security group overview.
Go to the Azure portal to view the rules of a network security group. Search for and select Network security groups.
Select the name of the network security group that you want to view the rules for.
In the network security group's menu bar, choose Inbound security rules or Outbound security rules.
The list contains any rules you've created and the network security group's default security rules.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg rule list |
PowerShell | Get-AzNetworkSecurityRuleConfig |
View details of a security rule
Go to the Azure portal to view the rules of a network security group. Search for and select Network security groups.
Select the name of the network security group that you want to view the details of a rule for.
In the network security group's menu bar, choose Inbound security rules or Outbound security rules.
Select the rule you want to view details for. For an explanation of all settings, see Security rule settings.
Note
This procedure only applies to a custom security rule. It doesn't work if you choose a default security rule.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg rule show |
PowerShell | Get-AzNetworkSecurityRuleConfig |
Change a security rule
Complete the steps in View details of a security rule.
Change the settings as needed, and then select Save. For an explanation of all settings, see Security rule settings.
Note
This procedure only applies to a custom security rule. You aren't allowed to change a default security rule.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg rule update |
PowerShell | Set-AzNetworkSecurityRuleConfig |
Delete a security rule
Complete the steps in View details of a security rule.
Select Delete, and then select Yes.
Note
This procedure only applies to a custom security rule. You aren't allowed to delete a default security rule.
Commands
Tool | Command |
---|---|
Azure CLI | az network nsg rule delete |
PowerShell | Remove-AzNetworkSecurityRuleConfig |
Work with application security groups
An application security group contains zero or more network interfaces. To learn more, see application security groups. All network interfaces in an application security group must exist in the same virtual network. To learn how to add a network interface to an application security group, see Add a network interface to an application security group.
Create an application security group
On the Azure portal menu or from the Home page, select Create a resource.
In the search box, enter Application security group.
In the Application security group page, select Create.
In the Create an application security group page, under the Basics tab, set values for the following settings:
Setting Action Subscription Choose your subscription. Resource group Choose an existing resource group, or select Create new to create a new resource group. Name Enter a unique text string within a resource group. Region Choose the location you want. Select Review + create.
Under the Review + create tab, after you see the Validation passed message, select Create.
Commands
Tool | Command |
---|---|
Azure CLI | az network asg create |
PowerShell | New-AzApplicationSecurityGroup |
View all application security groups
Go to the Azure portal to view your application security groups. Search for and select Application security groups. The Azure portal displays a list of your application security groups.
Commands
Tool | Command |
---|---|
Azure CLI | az network asg list |
PowerShell | Get-AzApplicationSecurityGroup |
View details of a specific application security group
Go to the Azure portal to view an application security group. Search for and select Application security groups.
Select the name of the application security group that you want to view the details of.
Commands
Tool | Command |
---|---|
Azure CLI | az network asg show |
PowerShell | Get-AzApplicationSecurityGroup |
Change an application security group
Go to the Azure portal to view an application security group. Search for and select Application security groups.
Select the name of the application security group that you want to change.
Select change next to the setting that you want to modify. For example, you can add or remove Tags, or you can change the Resource group or Subscription.
Note
You can't change the location.
In the menu bar, you can also select Access control (IAM). In the Access control (IAM) page, you can assign or remove permissions to the application security group.
Commands
Tool | Command |
---|---|
Azure CLI | az network asg update |
PowerShell | No PowerShell cmdlet |
Delete an application security group
You can't delete an application security group if it contains any network interfaces. To remove all network interfaces from the application security group, either change the network interface settings or delete the network interfaces. To learn more, see Add to or remove from application security groups or Delete a network interface.
Go to the Azure portal to manage your application security groups. Search for and select Application security groups.
Select the name of the application security group that you want to delete.
Select Delete, and then select Yes to delete the application security group.
Commands
Tool | Command |
---|---|
Azure CLI | az network asg delete |
PowerShell | Remove-AzApplicationSecurityGroup |
Permissions
To do tasks on network security groups, security rules, and application security groups, your account must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate permissions as listed in the following tables:
Network security group
Action | Name |
---|---|
Microsoft.Network/networkSecurityGroups/read | Get network security group |
Microsoft.Network/networkSecurityGroups/write | Create or update network security group |
Microsoft.Network/networkSecurityGroups/delete | Delete network security group |
Microsoft.Network/networkSecurityGroups/join/action | Associate a network security group to a subnet or network interface |
Network security group rule
Action | Name |
---|---|
Microsoft.Network/networkSecurityGroups/securityRules/read | Get rule |
Microsoft.Network/networkSecurityGroups/securityRules/write | Create or update rule |
Microsoft.Network/networkSecurityGroups/securityRules/delete | Delete rule |
Application security group
Action | Name |
---|---|
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action | Join an IP configuration to an application security group |
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action | Join a security rule to an application security group |
Microsoft.Network/applicationSecurityGroups/read | Get an application security group |
Microsoft.Network/applicationSecurityGroups/write | Create or update an application security group |
Microsoft.Network/applicationSecurityGroups/delete | Delete an application security group |
Next steps
- Create a network or application security group using PowerShell or Azure CLI sample scripts, or Azure Resource Manager templates
- Create and assign Azure Policy definitions for virtual networks