Azure - Network security group (NSG) - Firewall

1 - About

A network security group (NSG) is a collection of firewall rules that can be applied to the network interface of one or several machine.

3 - Management

3.1 - Create

Network Security Group

az network nsg create \
    --resource-group myResourceGroup \
    --location eastus \
    --name myNetworkSecurityGroup

3.2 - Get

From a nic

az vm nic show --vm-name vmName   --nic nicId --resource-group resrouceGroupName --query


3.3 - Show

az network nsg show --ids "idNsg"

3.4 - Rule

3.4.1 - Show

az network nsg  rule show --ids "idNSG" --name default-allow-ssh

  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "22",
  "destinationPortRanges": [],
  "direction": "Inbound",
  "etag": "W/\"c6cbff72-56bc-49-baaa-383eef04a8e7\"",
  "id": "/subscriptions/a3c25-da6a-41ac-87fa-090f6b96d44d/resourceGroups/resourceGroup/providers/Microsoft.Network/networkSecurityGroups/nameNSG/securityRules/default-allow-ssh",
  "name": "default-allow-ssh",
  "priority": 1000,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "resourceGroup",
  "sourceAddressPrefix": "*",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"

3.4.2 - Update

az network nsg rule update

3.4.3 - List Rules

  • List name and direction

az network nsg show --ids "Id" --output tsv --query securityRules[*].[name,direction]


3.4.4 - Create Firewall Rule

Example with the Azure cli.

az network nsg rule create \
    --resource-group myResourceGroup\
    --nsg-name myVmNSG \
    --name allow-oracle \
    --protocol tcp \
    --priority 1001 \
    --source-port-range 1521

3.5 - Apply

3.5.1 - one VM

Associate the Network Security Group with one VM's network interface (NIC). For all VM in a subnet, see below.

az network nic update \
    --resource-group myResourceGroup \
    --name myNic \
    --network-security-group myNetworkSecurityGroup

3.5.2 - all VM in a Subnet

associate your Network Security Group with a virtual network subnet (ie all machine in this subnet)

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --network-security-group myNetworkSecurityGroup

Data Science
Data Analysis
Data Science
Linear Algebra Mathematics

Powered by ComboStrap