az network nsg rule

Manage network security group rules.

Commands

az network nsg rule create Create a network security group rule.
az network nsg rule delete Delete a network security group rule.
az network nsg rule list List all rules in a network security group.
az network nsg rule show Get the details of a network security group rule.
az network nsg rule update Update a network security group rule.

az network nsg rule create

Edit

Create a network security group rule.

az network nsg rule create --name
                           --nsg-name
                           --priority
                           --resource-group
                           [--access {Allow, Deny}]
                           [--description]
                           [--destination-address-prefixes]
                           [--destination-asgs]
                           [--destination-port-ranges]
                           [--direction {Inbound, Outbound}]
                           [--protocol {*, Ah, Esp, Icmp, Tcp, Udp}]
                           [--source-address-prefixes]
                           [--source-asgs]
                           [--source-port-ranges]
                           [--subscription]

Examples

Create a basic "Allow" NSG rule with the highest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 100

Create a "Deny" rule over TCP for a specific IP address range with the lowest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 \
    --source-address-prefixes 208.130.28/24 --source-port-ranges 80 \
    --destination-address-prefixes '*' --destination-port-ranges 80 8080 --access Deny \
    --protocol Tcp --description "Deny from specific IP address ranges on 80 and 8080."

Create a security rule using service tags. For more details visit https://aka.ms/servicetags

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithTags \
    --priority 400 --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage \
    --destination-port-ranges * --direction Outbound --access Allow --protocol Tcp --description "Allow VirtualNetwork to Storage."

Create a security rule using application security groups. https://aka.ms/applicationsecuritygroups

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithAsg \
    --priority 500 --source-address-prefixes Internet --destination-port-ranges 80 8080 \
    --destination-asgs Web --access Allow --protocol Tcp --description "Allow Internet to Web ASG on ports 80,8080."

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access
accepted values: Allow, Deny
default value: Allow
--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

default value: 80
--direction
accepted values: Inbound, Outbound
default value: Inbound
--protocol

Network protocol this rule applies to.

accepted values: *, Ah, Esp, Icmp, Tcp, Udp
--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network nsg rule delete

Edit

Delete a network security group rule.

az network nsg rule delete [--ids]
                           [--name]
                           [--nsg-name]
                           [--resource-group]
                           [--subscription]

Examples

Delete a network security group rule.

az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Optional Parameters

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network nsg rule list

Edit

List all rules in a network security group.

az network nsg rule list --nsg-name
                         --resource-group
                         [--include-default]
                         [--subscription]

Examples

List all rules in a network security group.

az network nsg rule list -g MyResourceGroup --nsg-name MyNsg

Required Parameters

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--include-default

Include default security rules in the output.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network nsg rule show

Edit

Get the details of a network security group rule.

az network nsg rule show [--ids]
                         [--name]
                         [--nsg-name]
                         [--resource-group]
                         [--subscription]

Examples

Get the details of a network security group rule.

az network nsg rule show -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Optional Parameters

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network nsg rule update

Edit

Update a network security group rule.

az network nsg rule update [--access {Allow, Deny}]
                           [--add]
                           [--description]
                           [--destination-address-prefixes]
                           [--destination-asgs]
                           [--destination-port-ranges]
                           [--direction {Inbound, Outbound}]
                           [--force-string]
                           [--ids]
                           [--name]
                           [--nsg-name]
                           [--priority]
                           [--protocol {*, Ah, Esp, Icmp, Tcp, Udp}]
                           [--remove]
                           [--resource-group]
                           [--set]
                           [--source-address-prefixes]
                           [--source-asgs]
                           [--source-port-ranges]
                           [--subscription]

Examples

Update an NSG rule with a new wildcard destination address prefix.

az network nsg rule update -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --destination-address-prefix '*'

Update a network security group rule. (autogenerated)

az network nsg rule update --name MyNsgRule --nsg-name MyNsg --resource-group MyResourceGroup --source-address-prefixes 208.130.28/24

Optional Parameters

--access
accepted values: Allow, Deny
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--direction
accepted values: Inbound, Outbound
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--protocol

Network protocol this rule applies to.

accepted values: *, Ah, Esp, Icmp, Tcp, Udp
--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.