az network nsg rule

Manage network security group rules.

Commands

az network nsg rule create Create a network security group rule.
az network nsg rule delete Delete a network security group rule.
az network nsg rule list List all rules in a network security group.
az network nsg rule show Get the details for a network security group rule.
az network nsg rule update Update a network security group rule.

az network nsg rule create

Create a network security group rule.

az network nsg rule create --name
--nsg-name
--priority
--resource-group
[--access {Allow, Deny}]
[--description]
[--destination-address-prefixes]
[--destination-asgs]
[--destination-port-ranges]
[--direction {Inbound, Outbound}]
[--protocol {*, Tcp, Udp}]
[--source-address-prefixes]
[--source-asgs]
[--source-port-ranges]

Examples

Create a basic "Allow" NSG rule with the highest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 100

Create a "Deny" rule over TCP for a specific IP address range with the lowest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096
                                --source-address-prefixes 208.130.28/24 --source-port-ranges 80
                                --destination-address-prefixes * --destination-port-ranges 80 8080 --access Deny
                                --protocol Tcp --description "Deny from specific IP address ranges on 80 and 8080."

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access
accepted values: Allow, Deny
default value: Allow
--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

default value: 80
--direction
accepted values: Inbound, Outbound
default value: Inbound
--protocol

Network protocol this rule applies to.

accepted values: *, Tcp, Udp
--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

az network nsg rule delete

Delete a network security group rule.

az network nsg rule delete --name
--nsg-name
--resource-group

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule list

List all rules in a network security group.

az network nsg rule list --nsg-name
--resource-group

Required Parameters

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule show

Get the details for a network security group rule.

az network nsg rule show --name
--nsg-name
--resource-group

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az network nsg rule update

Update a network security group rule.

az network nsg rule update --name
--nsg-name
--resource-group
[--access {Allow, Deny}]
[--add]
[--description]
[--destination-address-prefixes]
[--destination-asgs]
[--destination-port-ranges]
[--direction {Inbound, Outbound}]
[--priority]
[--protocol {*, Tcp, Udp}]
[--remove]
[--set]
[--source-address-prefixes]
[--source-asgs]
[--source-port-ranges]

Examples

Update an NSG rule with a new wildcard destination address prefix.

az network nsg rule update -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --destination-address-prefix *

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access
accepted values: Allow, Deny
--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--destination-asgs

Space-separated list of application security group names or IDs.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--direction
accepted values: Inbound, Outbound
--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--protocol

Network protocol this rule applies to.

accepted values: *, Tcp, Udp
--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs.

--source-asgs

Space-separated list of application security group names or IDs.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.