az network nsg rule

Manage network security group rules.

Commands

az network nsg rule create Create a network security group rule.
az network nsg rule delete Delete a network security group rule.
az network nsg rule list List all rules in a network security group.
az network nsg rule show Get the details of a network security group rule.
az network nsg rule update Update a network security group rule.

az network nsg rule create

Edit

Create a network security group rule.

az network nsg rule create --name
                           --nsg-name
                           --priority
                           --resource-group
                           [--access {Allow, Deny}]
                           [--description]
                           [--destination-address-prefixes]
                           [--destination-asgs]
                           [--destination-port-ranges]
                           [--direction {Inbound, Outbound}]
                           [--protocol {*, Tcp, Udp}]
                           [--source-address-prefixes]
                           [--source-asgs]
                           [--source-port-ranges]

Examples

Create a basic "Allow" NSG rule with the highest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 100

Create a "Deny" rule over TCP for a specific IP address range with the lowest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 \
                            --source-address-prefixes 208.130.28/24 --source-port-ranges 80 \
                            --destination-address-prefixes '*' --destination-port-ranges 80 8080 --access Deny \
                            --protocol Tcp --description "Deny from specific IP address ranges on 80 and 8080."

Create a security rule using service tags. For more details visit https://aka.ms/servicetags

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithTags \
                            --priority 400 --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage \
                            --destination-port-ranges * --direction Outbound --access Allow --protocol Tcp --description "Allow VirtualNetwork to Storage."

Create a security rule using application security groups. https://aka.ms/applicationsecuritygroups

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithAsg \
                            --priority 500 --source-address-prefixes Internet --destination-port-ranges 80 8080 \
                            --destination-asgs Web --access Allow --protocol Tcp --description "Allow Internet to Web ASG on ports 80,8080."

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access
accepted values: Allow, Deny
default value: Allow
--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

default value: 80
--direction
accepted values: Inbound, Outbound
default value: Inbound
--protocol

Network protocol this rule applies to.

accepted values: *, Tcp, Udp
--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

az network nsg rule delete

Edit

Delete a network security group rule.

az network nsg rule delete --name
                           --nsg-name
                           --resource-group

Examples

Delete a network security group rule.

az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule list

Edit

List all rules in a network security group.

az network nsg rule list --nsg-name
                         --resource-group

Examples

List all rules in a network security group.

az network nsg rule list -g MyResourceGroup --nsg-name MyNsg

Required Parameters

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule show

Edit

Get the details of a network security group rule.

az network nsg rule show --name
                         --nsg-name
                         --resource-group

Examples

Get the details of a network security group rule.

az network nsg rule show -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule update

Edit

Update a network security group rule.

az network nsg rule update --name
                           --nsg-name
                           --resource-group
                           [--access {Allow, Deny}]
                           [--add]
                           [--description]
                           [--destination-address-prefixes]
                           [--destination-asgs]
                           [--destination-port-ranges]
                           [--direction {Inbound, Outbound}]
                           [--priority]
                           [--protocol {*, Tcp, Udp}]
                           [--remove]
                           [--set]
                           [--source-address-prefixes]
                           [--source-asgs]
                           [--source-port-ranges]

Examples

Update an NSG rule with a new wildcard destination address prefix.

az network nsg rule update -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --destination-address-prefix '*'

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access
accepted values: Allow, Deny
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--direction
accepted values: Inbound, Outbound
--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--protocol

Network protocol this rule applies to.

accepted values: *, Tcp, Udp
--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.