Create network security groups using the Azure CLI 1.0

CLI versions to complete the task

You can complete the task using one of the following CLI versions:

  • Azure CLI 1.0 – our CLI for the classic and resource management deployment models (this article)
  • Azure CLI 2.0 - our next-generation CLI for the resource management deployment model

You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.

For more information about NSGs, visit what is an NSG.

Important

Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by clicking the tabs at the top of this article.

This article covers the Resource Manager deployment model. You can also create NSGs in the classic deployment model.

Scenario

To better illustrate how to create NSGs, this document will use the scenario below.

VNet scenario

In this scenario you will create an NSG for each subnet in the TestVNet virtual network, as described below:

  • NSG-FrontEnd. The front end NSG will be applied to the FrontEnd subnet, and contain two rules:
    • rdp-rule. This rule will allow RDP traffic to the FrontEnd subnet.
    • web-rule. This rule will allow HTTP traffic to the FrontEnd subnet.
  • NSG-BackEnd. The back end NSG will be applied to the BackEnd subnet, and contain two rules:
    • sql-rule. This rule allows SQL traffic only from the FrontEnd subnet.
    • web-rule. This rule denies all internet bound traffic from the BackEnd subnet.

The combination of these rules create a DMZ-like scenario, where the back end subnet can only receive incoming traffic for SQL from the front end subnet, and has no access to the Internet, while the front end subnet can communicate with the Internet, and receive incoming HTTP requests only.

The sample Azure CLI commands below expect a simple environment already created based on the scenario above.

How to create the NSG for the front end subnet

To create an NSG named named NSG-FrontEnd based on the scenario above, follow the steps below.

  1. If you have never used Azure CLI, see Install and Configure the Azure CLI and follow the instructions up to the point where you select your Azure account and subscription.
  2. Run the azure config mode command to switch to Resource Manager mode, as shown below.

     azure config mode arm
    

    Expected output:

     info:    New mode is arm
    
  3. Run the azure network nsg create command to create an NSG.

     azure network nsg create -g TestRG -l westus -n NSG-FrontEnd
    

    Expected output:

     info:    Executing command network nsg create
     info:    Looking up the network security group "NSG-FrontEnd"
     info:    Creating a network security group "NSG-FrontEnd"
     info:    Looking up the network security group "NSG-FrontEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
     data:    Name                            : NSG-FrontEnd
     data:    Type                            : Microsoft.Network/networkSecurityGroups
     data:    Location                        : westus
     data:    Provisioning state              : Succeeded
     data:    Security group rules:
     data:    Name                           Source IP          Source Port  Destination IP  Destination Port  Protocol  Direction  Access  Priority
     data:    -----------------------------  -----------------  -----------  --------------  ----------------  --------  ---------  ------  --------
     data:    AllowVnetInBound               VirtualNetwork     *            VirtualNetwork  *                 *         Inbound    Allow   65000   
     data:    AllowAzureLoadBalancerInBound  AzureLoadBalancer  *            *               *                 *         Inbound    Allow   65001   
     data:    DenyAllInBound                 *                  *            *               *                 *         Inbound    Deny    65500   
     data:    AllowVnetOutBound              VirtualNetwork     *            VirtualNetwork  *                 *         Outbound   Allow   65000   
     data:    AllowInternetOutBound          *                  *            Internet        *                 *         Outbound   Allow   65001   
     data:    DenyAllOutBound                *                  *            *               *                 *         Outbound   Deny    65500   
     info:    network nsg create command OK
    

    Parameters:

    • -g (or --resource-group). Name of the resource group where the NSG will be created. For our scenario, TestRG.
    • -l (or --location). Azure region where the new NSG will be created. For our scenario, westus.
    • -n (or --name). Name for the new NSG. For our scenario, NSG-FrontEnd.
  4. Run the azure network nsg rule create command to create a rule that allows access to port 3389 (RDP) from the Internet.

     azure network nsg rule create -g TestRG -a NSG-FrontEnd -n rdp-rule -c Allow -p Tcp -r Inbound -y 100 -f Internet -o * -e * -u 3389
    

    Expected output:

     info:    Executing command network nsg rule create
     warn:    Using default direction: Inbound
     info:    Looking up the network security rule "rdp-rule"
     info:    Creating a network security rule "rdp-rule"
     info:    Looking up the network security group "NSG-FrontEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/rdp
     -rule
     data:    Name                            : rdp-rule
     data:    Type                            : Microsoft.Network/networkSecurityGroups/securityRules
     data:    Provisioning state              : Succeeded
     data:    Source IP                       : Internet
     data:    Source Port                     : *
     data:    Destination IP                  : *
     data:    Destination Port                : 3389
     data:    Protocol                        : Tcp
     data:    Direction                       : Inbound
     data:    Access                          : Allow
     data:    Priority                        : 100
     info:    network nsg rule create command OK
    

    Parameters:

    • -a (or --nsg-name). Name of the NSG in which the rule will be created. For our scenario, NSG-FrontEnd.
    • -n (or --name). Name for the new rule. For our scenario, rdp-rule.
    • -c (or --access). Access level for the rule (Deny or Allow).
    • -p (or --protocol). Protocol (Tcp, Udp, or *) for the rule.
    • -r (or --direction). Direction of connection (Inbound or Outbound).
    • -y (or --priority). Priority for the rule.
    • -f (or --source-address-prefix). Source address prefix in CIDR or using default tags.
    • -o (or --source-port-range). Source port, or port range.
    • -e (or --destination-address-prefix). Destination address prefix in CIDR or using default tags.
    • -u (or --destination-port-range). Destination port, or port range.
  5. Run the azure network nsg rule create command to create a rule that allows access to port 80 (HTTP) from the Internet.

     azure network nsg rule create -g TestRG -a NSG-FrontEnd -n web-rule -c Allow -p Tcp -r Inbound -y 200 -f Internet -o * -e * -u 80
    

    Expected putput:

     info:    Executing command network nsg rule create
     info:    Looking up the network security rule "web-rule"
     info:    Creating a network security rule "web-rule"
     info:    Looking up the network security group "NSG-FrontEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     networkSecurityGroups/NSG-FrontEnd/securityRules/web-rule
     data:    Name                            : web-rule
     data:    Type                            : Microsoft.Network/networkSecurityGroups/securityRules
     data:    Provisioning state              : Succeeded
     data:    Source IP                       : Internet
     data:    Source Port                     : *
     data:    Destination IP                  : *
     data:    Destination Port                : 80
     data:    Protocol                        : Tcp
     data:    Direction                       : Inbound
     data:    Access                          : Allow
     data:    Priority                        : 200
     info:    network nsg rule create command OK
    
  6. Run the azure network vnet subnet set command to link the NSG to the front end subnet.

     azure network vnet subnet set -g TestRG -e TestVNet -n FrontEnd -o NSG-FrontEnd
    

    Expected output:

     info:    Executing command network vnet subnet set
     info:    Looking up the subnet "FrontEnd"
     info:    Looking up the network security group "NSG-FrontEnd"
     info:    Setting subnet "FrontEnd"
     info:    Looking up the subnet "FrontEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     virtualNetworks/TestVNet/subnets/FrontEnd
     data:    Type                            : Microsoft.Network/virtualNetworks/subnets
     data:    ProvisioningState               : Succeeded
     data:    Name                            : FrontEnd
     data:    Address prefix                  : 192.168.1.0/24
     data:    Network security group          : [object Object]
     data:    IP configurations:
     data:      /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb2/ip
     Configurations/ipconfig1
     data:      /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ip
     Configurations/ipconfig1
     data:    
     info:    network vnet subnet set command OK
    

How to create the NSG for the back end subnet

To create an NSG named named NSG-BackEnd based on the scenario above, follow the steps below.

  1. Run the azure network nsg create command to create an NSG.

     azure network nsg create -g TestRG -l westus -n NSG-BackEnd
    

    Expected output:

     info:    Executing command network nsg create
     info:    Looking up the network security group "NSG-BackEnd"
     info:    Creating a network security group "NSG-BackEnd"
     info:    Looking up the network security group "NSG-BackEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     networkSecurityGroups/NSG-BackEnd
     data:    Name                            : NSG-BackEnd
     data:    Type                            : Microsoft.Network/networkSecurityGroups
     data:    Location                        : westus
     data:    Provisioning state              : Succeeded
     data:    Security group rules:
     data:    Name                           Source IP          Source Port  Destination IP  Destination Port  Protocol  Direction  Access  Priority
     data:    -----------------------------  -----------------  -----------  --------------  ----------------  --------  ---------  ------  --------
     data:    AllowVnetInBound               VirtualNetwork     *            VirtualNetwork  *                 *         Inbound    Allow   65000   
     data:    AllowAzureLoadBalancerInBound  AzureLoadBalancer  *            *               *                 *         Inbound    Allow   65001   
     data:    DenyAllInBound                 *                  *            *               *                 *         Inbound    Deny    65500   
     data:    AllowVnetOutBound              VirtualNetwork     *            VirtualNetwork  *                 *         Outbound   Allow   65000   
     data:    AllowInternetOutBound          *                  *            Internet        *                 *         Outbound   Allow   65001   
     data:    DenyAllOutBound                *                  *            *               *                 *         Outbound   Deny    65500   
     info:    network nsg create command OK
    
  2. Run the azure network nsg rule create command to create a rule that allows access to port 1433 (SQL) from the front end subnet.

     azure network nsg rule create -g TestRG -a NSG-BackEnd -n sql-rule -c Allow -p Tcp -r Inbound -y 100 -f 192.168.1.0/24 -o * -e * -u 1433
    

    Expected output:

     info:    Executing command network nsg rule create
     info:    Looking up the network security rule "sql-rule"
     info:    Creating a network security rule "sql-rule"
     info:    Looking up the network security group "NSG-BackEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     networkSecurityGroups/NSG-BackEnd/securityRules/sql-rule
     data:    Name                            : sql-rule
     data:    Type                            : Microsoft.Network/networkSecurityGroups/securityRules
     data:    Provisioning state              : Succeeded
     data:    Source IP                       : 192.168.1.0/24
     data:    Source Port                     : *
     data:    Destination IP                  : *
     data:    Destination Port                : 1433
     data:    Protocol                        : Tcp
     data:    Direction                       : Inbound
     data:    Access                          : Allow
     data:    Priority                        : 100
     info:    network nsg rule create command OK
    
  3. Run the azure network nsg rule create command to create a rule that denies access to the Internet from.

     azure network nsg rule create -g TestRG -a NSG-BackEnd -n web-rule -c Deny -p * -r Outbound -y 200 -f * -o * -e Internet -u *
    

    Expected putput:

     info:    Executing command network nsg rule create
     info:    Looking up the network security rule "web-rule"
     info:    Creating a network security rule "web-rule"
     info:    Looking up the network security group "NSG-BackEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     networkSecurityGroups/NSG-BackEnd/securityRules/web-rule
     data:    Name                            : web-rule
     data:    Type                            : Microsoft.Network/networkSecurityGroups/securityRules
     data:    Provisioning state              : Succeeded
     data:    Source IP                       : *
     data:    Source Port                     : *
     data:    Destination IP                  : Internet
     data:    Destination Port                : *
     data:    Protocol                        : *
     data:    Direction                       : Outbound
     data:    Access                          : Deny
     data:    Priority                        : 200
     info:    network nsg rule create command OK
    
  4. Run the azure network vnet subnet set command to link the NSG to the back end subnet.

     azure network vnet subnet set -g TestRG -e TestVNet -n BackEnd -o NSG-BackEnd
    

    Expected output:

     info:    Executing command network vnet subnet set
     info:    Looking up the subnet "BackEnd"
     info:    Looking up the network security group "NSG-BackEnd"
     info:    Setting subnet "BackEnd"
     info:    Looking up the subnet "BackEnd"
     data:    Id                              : /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/
     virtualNetworks/TestVNet/subnets/BackEnd
     data:    Type                            : Microsoft.Network/virtualNetworks/subnets
     data:    ProvisioningState               : Succeeded
     data:    Name                            : BackEnd
     data:    Address prefix                  : 192.168.2.0/24
     data:    Network security group          : [object Object]
     data:    IP configurations:
     data:      /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICSQL1/ip
     Configurations/ipconfig1
     data:      /subscriptions/628dad04-b5d1-4f10-b3a4-dc61d88cf97c/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICSQL2/ip
     Configurations/ipconfig1
     data:    
     info:    network vnet subnet set command OK