About
A network security group (NSG) is a collection of firewall rules that can be applied to the network interface of one or several machine.
Articles Related
Management
Create
Network Security Group
az network nsg create \
--resource-group myResourceGroup \
--location eastus \
--name myNetworkSecurityGroup
Get
From a nic
az vm nic show --vm-name vmName --nic nicId --resource-group resrouceGroupName --query networkSecurityGroup.id
"/subscriptions/a3c34725-da6a-41ac-87fa-b96d44d/resourceGroups/resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/nameNSG"
Show
az network nsg show --ids "idNsg"
Rule
Show
az network nsg rule show --ids "idNSG" --name default-allow-ssh
{
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationApplicationSecurityGroups": null,
"destinationPortRange": "22",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"c6cbff72-56bc-49-baaa-383eef04a8e7\"",
"id": "/subscriptions/a3c25-da6a-41ac-87fa-090f6b96d44d/resourceGroups/resourceGroup/providers/Microsoft.Network/networkSecurityGroups/nameNSG/securityRules/default-allow-ssh",
"name": "default-allow-ssh",
"priority": 1000,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "resourceGroup",
"sourceAddressPrefix": "*",
"sourceAddressPrefixes": [],
"sourceApplicationSecurityGroups": null,
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
Update
az network nsg rule update
List Rules
- List name and direction
az network nsg show --ids "Id" --output tsv --query securityRules[*].[name,direction]
default-allow-ssh
Create Firewall Rule
Example with the Azure cli.
az network nsg rule create \
--resource-group myResourceGroup\
--nsg-name myVmNSG \
--name allow-oracle \
--protocol tcp \
--priority 1001 \
--source-port-range 1521
Apply
one VM
Associate the Network Security Group with one VM's network interface (NIC). For all VM in a subnet, see below.
az network nic update \
--resource-group myResourceGroup \
--name myNic \
--network-security-group myNetworkSecurityGroup
all VM in a Subnet
associate your Network Security Group with a virtual network subnet (ie all machine in this subnet)
az network vnet subnet update \
--resource-group myResourceGroup \
--vnet-name myVnet \
--name mySubnet \
--network-security-group myNetworkSecurityGroup