You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.
For more information about NSGs, visit what is an NSG.
Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.
This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment model.
To better illustrate how to create NSGs, this document will use the scenario below.
In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:
- NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
- rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
- web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
- NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
- sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
- web-rule. This rule denies all internet bound traffic from the BackEnd subnet.
The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.
The sample PowerShell commands below expect a simple environment already created based on the scenario above. If you want to run the commands as they are displayed in this document, first build the test environment by deploying this template, click Deploy to Azure, replace the default parameter values if necessary, and follow the instructions in the portal. The steps below use RG-NSG as the name of the resource group the template was deployed to.
Create the NSG-FrontEnd NSG
To create the NSG-FrontEnd NSG as shown in the scenario above, follow the steps below.
- From a browser, navigate to http://portal.azure.com and, if necessary, sign in with your Azure account.
Click Browse > > Network Security Groups.
In the Network security groups blade, click Add.
In the Create network security group blade, create an NSG named NSG-FrontEnd in the RG-NSG resource group, and then click Create.
Create rules in an existing NSG
To create rules in an existing NSG from the Azure portal, follow the steps below.
- Click Browse > > Network security groups.
In the list of NSGs, click NSG-FrontEnd > Inbound security rules
In the list of Inbound security rules, click Add.
In the Add inbound security rule blade, create a rule named web-rule with priority of 200 allowing access via TCP to port 80 to any VM from any source, and then click OK. Notice that most of these settings are default values already.
After a few seconds you will see the new rule in the NSG.
- Repeat steps to 6 to create an inbound rule named rdp-rule with a priority of 250 allowing access via TCP to port 3389 to any VM from any source.
Associate the NSG to the FrontEnd subnet
- Click Browse > > Resource groups > RG-NSG.
In the RG-NSG blade, click ... > TestVNet.
In the Settings blade, click Subnets > FrontEnd > Network security group > NSG-FrontEnd.
In the FrontEnd blade, click Save.
Create the NSG-BackEnd NSG
To create the NSG-BackEnd NSG and associate it to the BackEnd subnet, follow the steps below.
- Repeat the steps in Create the NSG-FrontEnd NSG to create an NSG named NSG-BackEnd
Repeat the steps in Create rules in an existing NSG to create the inbound rules in the table below.
Inbound rule Outbound rule
- Repeat the steps in Associate the NSG to the FrontEnd subnet to associate the NSG-Backend NSG to the BackEnd subnet.