Create a network security group (classic) using PowerShell

You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.

For more information about NSGs, visit what is an NSG.

Important

Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.

This article covers the classic deployment model. You can also create NSGs in the Resource Manager deployment model.

Scenario

To better illustrate how to create NSGs, this document uses the following scenario:

VNet scenario

In this scenario, you create an NSG for each subnet in the TestVNet virtual network, as follows:

  • NSG-FrontEnd. The front-end NSG is applied to the FrontEnd subnet, and contains two rules:
    • rdp-rule. Allows RDP traffic to the FrontEnd subnet.
    • web-rule. Allows HTTP traffic to the FrontEnd subnet.
  • NSG-BackEnd. The back-end NSG is applied to the BackEnd subnet, and contains two rules:
    • sql-rule. Allows SQL traffic only from the FrontEnd subnet.
    • web-rule. Denies all internet bound traffic from the BackEnd subnet.

The combination of these rules create a DMZ-like scenario, where the back-end subnet can only receive incoming traffic for SQL from the front-end subnet, and has no access to the Internet, while the front-end subnet can communicate with the Internet, and receive incoming HTTP requests only.

The sample PowerShell commands below expect a simple environment already created based on the scenario above. If you want to run the commands as they are displayed in this document, first build the test environment by creating a VNet.

Create an NSG for the front-end subnet

  1. If you have never used Azure PowerShell, see How to Install and Configure Azure PowerShell.

  2. Create a network security group named NSG-FrontEnd:

    New-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" -Location uswest `
      -Label "Front end subnet NSG"
    
  3. Create a security rule allowing access from the internet to port 3389:

    Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
      | Set-AzureNetworkSecurityRule -Name rdp-rule `
      -Action Allow -Protocol TCP -Type Inbound -Priority 100 `
      -SourceAddressPrefix Internet  -SourcePortRange '*' `
      -DestinationAddressPrefix '*' -DestinationPortRange '3389'
    
  4. Create a security rule allowing access from the internet to port 80:

    Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
      | Set-AzureNetworkSecurityRule -Name web-rule `
      -Action Allow -Protocol TCP -Type Inbound -Priority 200 `
      -SourceAddressPrefix Internet  -SourcePortRange '*' `
      -DestinationAddressPrefix '*' -DestinationPortRange '80'
    

Create an NSG for the back-end subnet

  1. Create a network security group named NSG-BackEnd:

    New-AzureNetworkSecurityGroup -Name "NSG-BackEnd" -Location uswest `
      -Label "Back end subnet NSG"
    
  2. Create a security rule allowing access from the front-end subnet to port 1433 (default port used by SQL Server):

    Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
      | Set-AzureNetworkSecurityRule -Name rdp-rule `
      -Action Allow -Protocol TCP -Type Inbound -Priority 100 `
      -SourceAddressPrefix 192.168.1.0/24  -SourcePortRange '*' `
      -DestinationAddressPrefix '*' -DestinationPortRange '1433'
    
  3. Create a security rule blocking access from the subnet to the internet:

    Get-AzureNetworkSecurityGroup -Name "NSG-BackEnd" `
      | Set-AzureNetworkSecurityRule -Name block-internet `
      -Action Deny -Protocol '*' -Type Outbound -Priority 200 `
      -SourceAddressPrefix '*'  -SourcePortRange '*' `
      -DestinationAddressPrefix Internet -DestinationPortRange '*'