Manage network security groups using the Azure CLI

After you create one or more Network Security Groups (NSGs), you need to be able to retrieve information about your NSGs, add and remove rules, edit existing rules, associate or dissociate NSGs, and delete NSGs. In this article, you will learn how to execute each of these tasks. Before you can manage NSGs, it's important to know how NSGs work.

Note

Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using the Resource Manager deployment model, which Microsoft recommends for most new deployments instead of the classic deployment model.

Sample Scenario

To better illustrate how to manage NSGs, this article uses the scenario below.

VNet scenario

In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:

  • NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
    • rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
    • web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
  • NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
    • sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
    • web-rule. This rule denies all internet bound traffic from the BackEnd subnet.

The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL traffic from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.

To deploy the scenario described above, follow this link, click Deploy to Azure, replace the default parameter values if necessary, and follow the instructions in the portal. In the sample instructions below, the template was used to deploy a resource group names RG-NSG.

Prerequisite

If you haven't yet, install and configure the latest Azure CLI 2.0 and log in to an Azure account using az login.

View existing NSGs

To view the list of NSGs in a specific resource group, run the az network nsg list command with a -o table output format:

az network nsg list -g RG-NSG -o table

Expected output:

Location    Name          ProvisioningState    ResourceGroup    ResourceGuid
----------  ------------  -------------------  ---------------  ------------------------------------
centralus   NSG-BackEnd   Succeeded            RG-NSG           <guid>
centralus   NSG-FrontEnd  Succeeded            RG-NSG           <guid>

List all rules for an NSG

To view the rules of an NSG named NSG-FrontEnd, run the az network nsg show command using a JMESPATH query filter and the -o table output format:

    az network nsg show \
    --resource-group RG-NSG \
    --name NSG-FrontEnd \
    --query '[defaultSecurityRules[],securityRules[]][].{Name:name,Desc:description,Access:access,Direction:direction,DestPortRange:destinationPortRange,DestAddrPrefix:destinationAddressPrefix,SrcPortRange:sourcePortRange,SrcAddrPrefix:sourceAddressPrefix}' \
    -o table

Expected output:

Name                           Desc                                                    Access    Direction    DestPortRange    DestAddrPrefix    SrcPortRange    SrcAddrPrefix
-----------------------------  ------------------------------------------------------  --------  -----------  ---------------  ----------------  --------------  -----------------
AllowVnetInBound               Allow inbound traffic from all VMs in VNET              Allow     Inbound      *                VirtualNetwork    *               VirtualNetwork
AllowAzureLoadBalancerInBound  Allow inbound traffic from azure load balancer          Allow     Inbound      *                *                 *               AzureLoadBalancer
DenyAllInBound                 Deny all inbound traffic                                Deny      Inbound      *                *                 *               *
AllowVnetOutBound              Allow outbound traffic from all VMs to all VMs in VNET  Allow     Outbound     *                VirtualNetwork    *               VirtualNetwork
AllowInternetOutBound          Allow outbound traffic from all VMs to Internet         Allow     Outbound     *                Internet          *               *
DenyAllOutBound                Deny all outbound traffic                               Deny      Outbound     *                *                 *               *
rdp-rule                                                                               Allow     Inbound      3389             *                 *               Internet
web-rule                                                                               Allow     Inbound      80               *                 *               Internet

Note

You can also use az network nsg rule list to list only the custom rules from an NSG.

View NSG associations

To view what resources the NSG-FrontEnd NSG is associate with, run the az network nsg show command:

az network nsg show -g RG-NSG -n nsg-frontend --query '[subnets,networkInterfaces]'

Look for the networkInterfaces and subnets properties, as shown in the following example output:

[
  [
    {
      "addressPrefix": null,
      "etag": null,
      "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/virtualNetworks/TestVNET/subnets/FrontEnd",
      "ipConfigurations": null,
      "name": null,
      "networkSecurityGroup": null,
      "provisioningState": null,
      "resourceGroup": "RG-NSG",
      "resourceNavigationLinks": null,
      "routeTable": null
    }
  ],
  null
]

In the previous example, the NSG is not associated to any network interfaces (NICs), and it is associated to a subnet named FrontEnd.

Add a rule

To add a rule allowing inbound traffic to port 443 from any machine to the NSG-FrontEnd NSG, enter the following command:

az network nsg rule create  \
--resource-group RG-NSG \
--nsg-name NSG-FrontEnd  \
--name allow-https \
--description "Allow access to port 443 for HTTPS" \
--access Allow \
--protocol Tcp  \
--direction Inbound \
--priority 102 \
--source-address-prefix "*"  \
--source-port-range "*"  \
--destination-address-prefix "*" \
--destination-port-range "443"

Expected output:

{
  "access": "Allow",
  "description": "Allow access to port 443 for HTTPS",
  "destinationAddressPrefix": "*",
  "destinationPortRange": "443",
  "direction": "Inbound",
  "etag": "W/\"<guid>\"",
  "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/allow-https",
  "name": "allow-https",
  "priority": 102,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "RG-NSG",
  "sourceAddressPrefix": "*",
  "sourcePortRange": "*"
}

Change a rule

To change the rule created previously, to allow inbound traffic from the Internet only, run the az network nsg rule update command:

az network nsg rule update \
--resource-group RG-NSG \
--nsg-name NSG-FrontEnd \
--name allow-https \
--source-address-prefix Internet

Expected output:

{
"access": "Allow",
"description": "Allow access to port 443 for HTTPS",
"destinationAddressPrefix": "*",
"destinationPortRange": "443",
"direction": "Inbound",
"etag": "W/\"<guid>\"",
"id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/allow-https",
"name": "allow-https",
"priority": 102,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "RG-NSG",
"sourceAddressPrefix": "Internet",
"sourcePortRange": "*"
}

Delete a rule

To delete the rule created above, run the following command:

az network nsg rule delete \
--resource-group RG-NSG \
--nsg-name NSG-FrontEnd \
--name allow-https

Associate an NSG to a NIC

To associate the NSG-FrontEnd NSG to the TestNICWeb1 NIC, use the az network nic update command:

az network nic update \
--resource-group RG-NSG \
--name TestNICWeb1 \
--network-security-group NSG-FrontEnd    

Expected output:

{
  "dnsSettings": {
    "appliedDnsServers": [],
    "dnsServers": [],
    "internalDnsNameLabel": null,
    "internalDomainNameSuffix": "k0wkaguidnqrh0ud.gx.internal.cloudapp.net",
    "internalFqdn": null
  },
  "enableAcceleratedNetworking": false,
  "enableIpForwarding": false,
  "etag": "W/\"<guid>\"",
  "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1",
  "ipConfigurations": [
    {
      "applicationGatewayBackendAddressPools": null,
      "etag": "W/\"<guid>\"",
      "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigurations/ipconfig1",
      "loadBalancerBackendAddressPools": null,
      "loadBalancerInboundNatRules": null,
      "name": "ipconfig1",
      "primary": true,
      "privateIpAddress": "192.168.1.6",
      "privateIpAddressVersion": "IPv4",
      "privateIpAllocationMethod": "Static",
      "provisioningState": "Succeeded",
      "publicIpAddress": null,
      "resourceGroup": "RG-NSG",
      "subnet": {
        "addressPrefix": null,
        "etag": null,
        "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd",
        "ipConfigurations": null,
        "name": null,
        "networkSecurityGroup": null,
        "provisioningState": null,
        "resourceGroup": "RG-NSG",
        "resourceNavigationLinks": null,
        "routeTable": null
      }
    }
  ],
  "location": "centralus",
  "macAddress": "00-0D-3A-91-A9-60",
  "name": "TestNICWeb1",
  "networkSecurityGroup": {
    "defaultSecurityRules": null,
    "etag": null,
    "id": "/subscriptions/<guid>/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd",
    "location": null,
    "name": null,
    "networkInterfaces": null,
    "provisioningState": null,
    "resourceGroup": "RG-NSG",
    "resourceGuid": null,
    "securityRules": null,
    "subnets": null,
    "tags": null,
    "type": null
  },
  "primary": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "RG-NSG",
  "resourceGuid": "<guid>",
  "tags": {},
  "type": "Microsoft.Network/networkInterfaces",
  "virtualMachine": null
}

Dissociate an NSG from a NIC

To dissociate the NSG-FrontEnd NSG from the TestNICWeb1 NIC, run the az network nsg rule update command again but replace the --network-security-group argument with an empty string ("").

az network nic update --resource-group RG-NSG --name TestNICWeb3 --network-security-group ""

In the output, the networkSecurityGroup key is set to null.

Dissociate an NSG from a subnet

To dissociate the NSG-FrontEnd NSG from the FrontEnd subnet, again run the az network nsg rule update command again but replace the --network-security-group argument with an empty string ("").

az network vnet subnet update \
--resource-group RG-NSG \
--vnet-name testvnet \
--name FrontEnd \
--network-security-group ""

In the output, the networkSecurityGroup key is set to null.

Associate an NSG to a subnet

To associate the NSG-FrontEnd NSG to the FrontEnd subnet again, run the following command:

az network vnet subnet update \
--resource-group RG-NSG \
--vnet-name testvnet \
--name FrontEnd \
--network-security-group NSG-FrontEnd

In the output, the networkSecurityGroup key has something similar for the value:

"networkSecurityGroup": {
    "defaultSecurityRules": null,
    "etag": null,
    "id": "/subscriptions/0e220bf6-5caa-4e9f-8383-51f16b6c109f/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd",
    "location": null,
    "name": null,
    "networkInterfaces": null,
    "provisioningState": null,
    "resourceGroup": "RG-NSG",
    "resourceGuid": null,
    "securityRules": null,
    "subnets": null,
    "tags": null,
    "type": null
  }

Delete an NSG

You can only delete an NSG if it's not associated to any resource. To delete an NSG, complete the following steps:

  1. To check the resources associated to an NSG, run the azure network nsg show as shown in View NSGs associations.
  2. If the NSG is associated to any NICs, run the azure network nic set as shown in Dissociate an NSG from a NIC for each NIC.
  3. If the NSG is associated to any subnet, run the azure network vnet subnet set as shown in Dissociate an NSG from a subnet for each subnet.
  4. To delete the NSG, run the following command:

    az network nsg delete --resource-group RG-NSG --name NSG-FrontEnd
    

    Next steps

  5. Enable logging for NSGs.