Create network security groups using an Azure Resource Manager template

You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.

For more information about NSGs, visit what is an NSG.


Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.

This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment model.


To better illustrate how to create NSGs, this document will use the scenario below.

VNet scenario

In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:

  • NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
    • rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
    • web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
  • NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
    • sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
    • web-rule. This rule denies all internet bound traffic from the BackEnd subnet.

The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.

NSG resources in a template file

You can view and download the sample template.

The following section shows the definition of the front-end NSG, based on the scenario.

"apiVersion": "2017-03-01",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('frontEndNSGName')]",
"location": "[resourceGroup().location]",
"tags": {
  "displayName": "NSG - Front End"
"properties": {
  "securityRules": [
      "name": "rdp-rule",
      "properties": {
        "description": "Allow RDP",
        "protocol": "Tcp",
        "sourcePortRange": "*",
        "destinationPortRange": "3389",
        "sourceAddressPrefix": "Internet",
        "destinationAddressPrefix": "*",
        "access": "Allow",
        "priority": 100,
        "direction": "Inbound"
      "name": "web-rule",
      "properties": {
        "description": "Allow WEB",
        "protocol": "Tcp",
        "sourcePortRange": "*",
        "destinationPortRange": "80",
        "sourceAddressPrefix": "Internet",
        "destinationAddressPrefix": "*",
        "access": "Allow",
        "priority": 101,
        "direction": "Inbound"

To associate the NSG to the front-end subnet, you have to change the subnet definition in the template, and use the reference id for the NSG.

"subnets": [
    "name": "[parameters('frontEndSubnetName')]",
    "properties": {
      "addressPrefix": "[parameters('frontEndSubnetPrefix')]",
      "networkSecurityGroup": {
      "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('frontEndNSGName'))]"

Notice the same being done for the back-end NSG and the back-end subnet in the template.

Deploy the ARM template by using click to deploy

The sample template available in the public repository uses a parameter file containing the default values used to generate the scenario described above. To deploy this template using click to deploy, follow this link, click Deploy to Azure, replace the default parameter values if necessary, and follow the instructions in the portal.

Deploy the ARM template by using PowerShell

To deploy the ARM template you downloaded by using PowerShell, follow the steps below.

  1. If you have never used Azure PowerShell, follow the instructions in the How to Install and Configure Azure PowerShell to install and configure it.
  2. Run the New-AzureRmResourceGroup cmdlet to create a resource group using the template.

    New-AzureRmResourceGroup -Name TestRG -Location uswest `
    -TemplateFile '' `
    -TemplateParameterFile ''

    Expected output:

     ResourceGroupName : TestRG
     Location          : westus
     ProvisioningState : Succeeded
     Tags              :
     Permissions       :
                         Actions  NotActions
                         =======  ==========
     Resources         :
                         Name                Type                                     Location
                         ==================  =======================================  ========
                         sqlAvSet            Microsoft.Compute/availabilitySets       westus  
                         webAvSet            Microsoft.Compute/availabilitySets       westus  
                         SQL1                Microsoft.Compute/virtualMachines        westus  
                         SQL2                Microsoft.Compute/virtualMachines        westus  
                         Web1                Microsoft.Compute/virtualMachines        westus  
                         Web2                Microsoft.Compute/virtualMachines        westus  
                         TestNICSQL1         Microsoft.Network/networkInterfaces      westus  
                         TestNICSQL2         Microsoft.Network/networkInterfaces      westus  
                         TestNICWeb1         Microsoft.Network/networkInterfaces      westus  
                         TestNICWeb2         Microsoft.Network/networkInterfaces      westus  
                         NSG-BackEnd         Microsoft.Network/networkSecurityGroups  westus  
                         NSG-FrontEnd        Microsoft.Network/networkSecurityGroups  westus  
                         TestPIPSQL1         Microsoft.Network/publicIPAddresses      westus  
                         TestPIPSQL2         Microsoft.Network/publicIPAddresses      westus  
                         TestPIPWeb1         Microsoft.Network/publicIPAddresses      westus  
                         TestPIPWeb2         Microsoft.Network/publicIPAddresses      westus  
                         TestVNet            Microsoft.Network/virtualNetworks        westus  
                         testvnetstorageprm  Microsoft.Storage/storageAccounts        westus  
                         testvnetstoragestd  Microsoft.Storage/storageAccounts        westus  
     ResourceId        : /subscriptions/[Subscription Id]/resourceGroups/TestRG

Deploy the ARM template by using the Azure CLI

To deploy the ARM template by using the Azure CLI, follow the steps below.

  1. If you have never used Azure CLI, see Install and Configure the Azure CLI and follow the instructions up to the point where you select your Azure account and subscription.
  2. Run the azure config mode command to switch to Resource Manager mode, as shown below.

    azure config mode arm

    The following is the expected output for the command:

     info:    New mode is arm
  3. Run the azure group deployment create cmdlet to deploy the new VNet by using the template and parameter files you downloaded and modified above. The list shown after the output explains the parameters used.

    azure group create -n TestRG -l westus -f '' -e ''

    Expected output:

     info:    Executing command group create
     info:    Getting resource group TestRG
     info:    Creating resource group TestRG
     info:    Created resource group TestRG
     info:    Initializing template configurations and parameters
     info:    Creating a deployment
     info:    Created template deployment "azuredeploy"
     data:    Id:                  /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG
     data:    Name:                TestRG
     data:    Location:            westus
     data:    Provisioning State:  Succeeded
     data:    Tags: null
     info:    group create command OK
    • -n (or --name). Name of the resource group to be created.
    • -l (or --location). Azure region where the resource group will be created.
    • -f (or --template-file). Path to your ARM template file.
    • -e (or --parameters-file). Path to your ARM parameters file.