Manage network security groups using PowerShell

After you create one or more Network Security Groups (NSGs), you need to be able to retrieve information about your NSGs, add and remove rules, edit existing rules, associate or dissociate NSGs, and delete NSGs. In this article, you will learn how to execute each of these tasks. Before you can manage NSGs, it's important to know how NSGs work.

Note

Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using the Resource Manager deployment model, which Microsoft recommends for most new deployments instead of the classic deployment model.

Sample Scenario

To better illustrate how to manage NSGs, this article uses the scenario below.

VNet scenario

In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:

  • NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
    • rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
    • web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
  • NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
    • sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
    • web-rule. This rule denies all internet bound traffic from the BackEnd subnet.

The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL traffic from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.

To deploy the scenario described above, follow this link, click Deploy to Azure, replace the default parameter values if necessary, and follow the instructions in the portal. In the sample instructions below, the template was used to deploy a resource group names RG-NSG.

Prerequisite: Install the Azure PowerShell module

To perform the steps in this article, you need to install and configure the Azure PowerShell module. Be sure to complete all of the instructions. After the installation is finished, sign in to Azure and select your subscription.

Note

You need an Azure account to complete these steps. If you don't have an Azure account, you can sign up for a free trial.

Retrieve Information

You can view your existing NSGs, retrieve rules for an existing NSG, and find out what resources an NSG is associated to.

View existing NSGs

To view all existing NSGs in a subscription, run the Get-AzureRmNetworkSecurityGroup cmdlet.

Expected result:

Name                 : NSG-BackEnd
ResourceGroupName    : RG-NSG
Location             : westus
Id                   : /subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/
                       Microsoft.Network/networkSecurityGroups/NSG-BackEnd
Etag                 : W/"[Id]"
ResourceGuid         : [Id]
ProvisioningState    : Succeeded
Tags                 :                            
SecurityRules        : [...]
DefaultSecurityRules : [...]
NetworkInterfaces    : [...]
Subnets              : [...]

Name                 : NSG-FrontEnd
ResourceGroupName    : RG-NSG
Location             : eastus
Id                   : /subscriptions/[Subscription Id]/resourceGroups/NRP-RG/providers/
                       Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
Etag                 : W/"[Id]"
ResourceGuid         : [Id]
ProvisioningState    : Succeeded
Tags                 : 
SecurityRules        : [...]
DefaultSecurityRules : [...]
NetworkInterfaces    : [...]
Subnets              : [...]

Name                 : WEB1
ResourceGroupName    : RG101
Location             : eastus2
Id                   : /subscriptions/[Subscription Id]/resourceGroups/RG101/providers/M
                       icrosoft.Network/networkSecurityGroups/WEB1
Etag                 : W/"[Id]"
ResourceGuid         : [Id]
ProvisioningState    : Succeeded
Tags                 : 
SecurityRules        : [...]
DefaultSecurityRules : [...]
NetworkInterfaces    : [...]
Subnets              : [...]

To view the list of NSGs in a specific resource group, run the Get-AzureRmNetworkSecurityGroup cmdlet.

Expected output:

Name                 : NSG-BackEnd
ResourceGroupName    : RG-NSG
Location             : westus
Id                   : /subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/
                       Microsoft.Network/networkSecurityGroups/NSG-BackEnd
Etag                 : W/"[Id]"
ResourceGuid         : [Id]
ProvisioningState    : Succeeded
Tags                 :                            
SecurityRules        : [...]
DefaultSecurityRules : [...]
NetworkInterfaces    : [...]
Subnets              : [...]

Name                 : NSG-FrontEnd
ResourceGroupName    : RG-NSG
Location             : eastus
Id                   : /subscriptions/[Subscription Id]/resourceGroups/NRP-RG/providers/
                       Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
Etag                 : W/"[Id]"
ResourceGuid         : [Id]
ProvisioningState    : Succeeded
Tags                 : 
SecurityRules        : [...]
DefaultSecurityRules : [...]
NetworkInterfaces    : [...]
Subnets              : [...]

List all rules for an NSG

To view the rules of an NSG named NSG-FrontEnd, enter the following command:

Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd | Select SecurityRules -ExpandProperty SecurityRules

Expected output:

Name                     : rdp-rule
Id                       : /subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/                           Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/rdp-rule
Etag                     : W/"[Id]"
ProvisioningState        : Succeeded
Description              : Allow RDP
Protocol                 : Tcp
SourcePortRange          : *
DestinationPortRange     : 3389
SourceAddressPrefix      : Internet
DestinationAddressPrefix : *
Access                   : Allow
Priority                 : 100
Direction                : Inbound

Name                     : web-rule
Id                       : /subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/                           Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/web-rule
Etag                     : W/"[Id]"
ProvisioningState        : Succeeded
Description              : Allow HTTP
Protocol                 : Tcp
SourcePortRange          : *
DestinationPortRange     : 80
SourceAddressPrefix      : Internet
DestinationAddressPrefix : *
Access                   : Allow
Priority                 : 101
Direction                : Inbound

Note

You can also use Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name "NSG-FrontEnd" | Select DefaultSecurityRules -ExpandProperty DefaultSecurityRules to list the default rules from the NSG-FrontEnd NSG.

View NSGs associations

To view what resources the NSG-FrontEnd NSG is associate with, run the following command:

Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd

Look for the NetworkInterfaces and Subnets properties as shown below:

NetworkInterfaces    : []
Subnets              : [
                         {
                           "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-NSG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd",
                           "IpConfigurations": []
                         }
                       ]

In the previous example, the NSG is not associated to any network interfaces (NICs); it is associated to a subnet named FrontEnd.

Manage rules

You can add rules to an existing NSG, edit existing rules, and remove rules.

Add a rule

To add a rule allowing inbound traffic to port 443 from any machine to the NSG-FrontEnd NSG, complete the following steps:

  1. Run the following command to retrieve the existing NSG and store it in a variable:

    $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
    
  2. Run the following command to add a rule to the NSG:

    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg `
    -Name https-rule `
    -Description "Allow HTTPS" `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 102 `
    -SourceAddressPrefix * `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 443
    
  3. To save the changes made to the NSG, run the following command:

    Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
    

    Expected output showing only the security rules:

     Name                 : NSG-FrontEnd
     ...
     SecurityRules        : [
                              {
                                "Name": "rdp-rule",
                                ...
                              },
                              {
                                "Name": "web-rule",
                                ...
                              },
                              {
                                "Name": "https-rule",
                                "Etag": "W/\"[Id]\"",
                                "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/https-rule",
                                "Description": "Allow HTTPS",
                                "Protocol": "Tcp",
                                "SourcePortRange": "*",
                                "DestinationPortRange": "443",
                                "SourceAddressPrefix": "*",
                                "DestinationAddressPrefix": "*",
                                "Access": "Allow",
                                "Priority": 102,
                                "Direction": "Inbound",
                                "ProvisioningState": "Succeeded"
                              }
                            ]
    

Change a rule

To change the rule created above to allow inbound traffic from the Internet only, follow the steps below.

  1. Run the following command to retrieve the existing NSG and store it in a variable:

    $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
    
  2. Run the following command with the new rule settings:

    Set-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg `
    -Name https-rule `
    -Description "Allow HTTPS" `
    -Access Allow `
    -Protocol Tcp `
    -Direction Inbound `
    -Priority 102 `
    -SourceAddressPrefix Internet `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 443
    
  3. To save the changes made to the NSG, run the following command:

    Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
    

    Expected output showing only the security rules:

     Name                 : NSG-FrontEnd
     ...
     SecurityRules        : [
                              {
                                "Name": "rdp-rule",
                                ...
                              },
                              {
                                "Name": "web-rule",
                                ...
                              },
                              {
                                "Name": "https-rule",
                                "Etag": "W/\"[Id]\"",
                                "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/https-rule",
                                "Description": "Allow HTTPS",
                                "Protocol": "Tcp",
                                "SourcePortRange": "*",
                                "DestinationPortRange": "443",
                                "SourceAddressPrefix": "Internet",
                                "DestinationAddressPrefix": "*",
                                "Access": "Allow",
                                "Priority": 102,
                                "Direction": "Inbound",
                                "ProvisioningState": "Succeeded"
                              }
                            ]
    

Delete a rule

  1. Run the following command to retrieve the existing NSG and store it in a variable:

    $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
    
  2. Run the following command to remove the rule from the NSG:

    Remove-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name https-rule
    
  3. Save the changes made to the NSG, by running the following command:

    Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg
    

    Expected output showing only the security rules, notice the https-rule is no longer listed:

     Name                 : NSG-FrontEnd
     ...
     SecurityRules        : [
                              {
                                "Name": "rdp-rule",
                                ...
                              },
                              {
                                "Name": "web-rule",
                                ...
                              }
                            ]
    

Manage associations

You can associate an NSG to subnets and NICs. You can also dissociate an NSG from any resource it's associated to.

Associate an NSG to a NIC

To associate the NSG-FrontEnd NSG to the TestNICWeb1 NIC, complete the following steps:

  1. Run the following command to retrieve the existing NSG and store it in a variable:

    $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
    
  2. Run the following command to retrieve the existing NIC and store it in a variable:

    $nic = Get-AzureRmNetworkInterface -ResourceGroupName RG-NSG -Name TestNICWeb1
    
  3. Set the NetworkSecurityGroup property of the NIC variable to the value of the NSG variable, by entering the following command:

    $nic.NetworkSecurityGroup = $nsg
    
  4. To save the changes made to the NIC, run the following command:

    Set-AzureRmNetworkInterface -NetworkInterface $nic
    

    Expected output showing only the NetworkSecurityGroup property:

     NetworkSecurityGroup : {
                              "SecurityRules": [],
                              "DefaultSecurityRules": [],
                              "NetworkInterfaces": [],
                              "Subnets": [],
                              "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
                            }
    

Dissociate an NSG from a NIC

To dissociate the NSG-FrontEnd NSG from the TestNICWeb1 NIC, complete the following steps:

  1. Run the following command to retrieve the existing NIC and store it in a variable:

    $nic = Get-AzureRmNetworkInterface -ResourceGroupName RG-NSG -Name TestNICWeb1
    
  2. Set the NetworkSecurityGroup property of the NIC variable to $null by running the following command:

    $nic.NetworkSecurityGroup = $null
    
  3. To save the changes made to the NIC, run the following command:

    Set-AzureRmNetworkInterface -NetworkInterface $nic
    

    Expected output showing only the NetworkSecurityGroup property:

     NetworkSecurityGroup : null
    

Dissociate an NSG from a subnet

To dissociate the NSG-FrontEnd NSG from the FrontEnd subnet, complete the following steps:

  1. Run the following command to retrieve the existing VNet and store it in a variable:

    $vnet = Get-AzureRmVirtualNetwork -ResourceGroupName RG-NSG -Name TestVNet
    
  2. Run the following command to retrieve the FrontEnd subnet and store it in a variable:

    $subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd
    
  3. Set the NetworkSecurityGroup property of the subnet variable to $null by entering the following command:

    $subnet.NetworkSecurityGroup = $null
    
  4. To save the changes made to the subnet, run the following command:

    Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
    

    Expected output showing only the properties of the FrontEnd subnet. Notice there isn't a property for NetworkSecurityGroup:

         ...
         Subnets           : [
                               {
                                 "Name": "FrontEnd",
                                 "Etag": "W/\"[Id]\"",
                                 "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd",
                                 "AddressPrefix": "192.168.1.0/24",
                                 "IpConfigurations": [
                                   {
                                     "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb2/ipConfigurations/ipconfig1"
                                   },
                                   {
                                     "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigurations/ipconfig1"
                                   }
                                 ],
                                 "ProvisioningState": "Succeeded"
                               },
                                 ...
                             ]
    

Associate an NSG to a subnet

To associate the NSG-FrontEnd NSG to the FronEnd subnet again, complete the following steps:

  1. Run the following command to retrieve the existing VNet and store it in a variable:

    $vnet = Get-AzureRmVirtualNetwork -ResourceGroupName RG-NSG -Name TestVNet
    
  2. Run the following command to retrieve the FrontEnd subnet and store it in a variable:

    $subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd
    
  3. Run the following command to retrieve the existing NSG and store it in a variable:

    $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd
    
  4. Set the NetworkSecurityGroup property of the subnet variable to $null by running the following command:

    $subnet.NetworkSecurityGroup = $nsg
    
  5. To save the changes made to the subnet, run the following command:

    Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
    

    Expected output showing only the NetworkSecurityGroup property of the FrontEnd subnet:

     ...
     "NetworkSecurityGroup": {
                               "SecurityRules": [],
                               "DefaultSecurityRules": [],
                               "NetworkInterfaces": [],
                               "Subnets": [],
                               "Id": "/subscriptions/[Subscription Id]/resourceGroups/RG-NSG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd"
                             }
     ...
    

Delete an NSG

You can only delete an NSG if it's not associated to any resource. To delete an NSG, follow the steps below.

  1. To check the resources associated to an NSG, run the azure network nsg show as shown in View NSGs associations.
  2. If the NSG is associated to any NICs, run the azure network nic set as shown in Dissociate an NSG from a NIC for each NIC.
  3. If the NSG is associated to any subnet, run the azure network vnet subnet set as shown in Dissociate an NSG from a subnet for each subnet.
  4. To delete the NSG, run the following command:

    Remove-AzureRmNetworkSecurityGroup -ResourceGroupName RG-NSG -Name NSG-FrontEnd -Force
    

    Note

    The -Force parameter ensures you don't need to confirm the deletion.

Next steps