Create a network security group using the Azure portal
You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.
For more information about NSGs, visit what is an NSG.
Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.
This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment model.
To better illustrate how to create NSGs, this document uses the following scenario:
In this scenario, you create an NSG for each subnet in the TestVNet virtual network, as follows:
- NSG-FrontEnd. The front-end NSG is applied to the FrontEnd subnet, and contains two rules:
- rdp-rule. Allows RDP traffic to the FrontEnd subnet.
- web-rule. Allows HTTP traffic to the FrontEnd subnet.
- NSG-BackEnd. The back-end NSG is applied to the BackEnd subnet, and contains two rules:
- sql-rule. Allows SQL traffic only from the FrontEnd subnet.
- web-rule. Denies all internet bound traffic from the BackEnd subnet.
The combination of these rules create a DMZ-like scenario, where the back-end subnet can only receive incoming traffic for SQL from the front-end subnet, and has no access to the Internet, while the front-end subnet can communicate with the Internet, and receive incoming HTTP requests only.
Create the NSG-FrontEnd NSG
To create the NSG-FrontEnd NSG as shown in the scenario, complete the following steps:
- From a browser, navigate to https://portal.azure.com and, if necessary, sign in with your Azure account.
Select + Create a resource > > Network Security Groups.
Under Network security groups, select Add.
Under Create network security group, create an NSG named NSG-FrontEnd in the RG-NSG resource group, and then select Create.
Create rules in an existing NSG
To create rules in an existing NSG from the Azure portal, complete the following steps:
- Select All Services, then search for Network security groups. When Network security groups appear, select it.
In the list of NSGs, select NSG-FrontEnd > Inbound security rules
In the list of Inbound security rules, select Add.
Under Add inbound security rule, create a rule named web-rule with priority of 200 allowing access via TCP to port 80 to any VM from any source, and then select OK. Notice that most of these settings are default values already.
After a few seconds, you see the new rule in the NSG.
- Repeat steps to 6 to create an inbound rule named rdp-rule with a priority of 250 allowing access via TCP to port 3389 to any VM from any source.
Associate the NSG to the FrontEnd subnet
- Select All services >, enter Resource groups, select Resource groups when it appears, then select RG-NSG.
Under RG-NSG, select ... > TestVNet.
Under Settings, select Subnets > FrontEnd > Network security group > NSG-FrontEnd.
In the FrontEnd blade, select Save.
Create the NSG-BackEnd NSG
To create the NSG-BackEnd NSG and associate it to the BackEnd subnet, complete the following steps:
- To create an NSG named NSG-BackEnd, repeat the steps in Create the NSG-FrontEnd NSG.
To create the inbound rules in the table that follows, repeat the steps in Create rules in an existing NSG.
Inbound rule Outbound rule
- To associate the NSG-Backend NSG to the BackEnd subnet, repeat the steps in Associate the NSG to the FrontEnd subnet.