Azure - Network security group (NSG) - Firewall

Card Puncher Data Processing

About

A network security group (NSG) is a collection of firewall rules that can be applied to the network interface of one or several machine.

Management

Create

Network Security Group

az network nsg create \
    --resource-group myResourceGroup \
    --location eastus \
    --name myNetworkSecurityGroup

Get

From a nic

az vm nic show --vm-name vmName   --nic nicId --resource-group resrouceGroupName --query networkSecurityGroup.id
"/subscriptions/a3c34725-da6a-41ac-87fa-b96d44d/resourceGroups/resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/nameNSG"

Show

az network nsg show --ids "idNsg"

Rule

Show

az network nsg  rule show --ids "idNSG" --name default-allow-ssh
{
  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "22",
  "destinationPortRanges": [],
  "direction": "Inbound",
  "etag": "W/\"c6cbff72-56bc-49-baaa-383eef04a8e7\"",
  "id": "/subscriptions/a3c25-da6a-41ac-87fa-090f6b96d44d/resourceGroups/resourceGroup/providers/Microsoft.Network/networkSecurityGroups/nameNSG/securityRules/default-allow-ssh",
  "name": "default-allow-ssh",
  "priority": 1000,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "resourceGroup",
  "sourceAddressPrefix": "*",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

Update

az network nsg rule update

List Rules

  • List name and direction
az network nsg show --ids "Id" --output tsv --query securityRules[*].[name,direction]
default-allow-ssh

Create Firewall Rule

Example with the Azure cli.

az network nsg rule create \
    --resource-group myResourceGroup\
    --nsg-name myVmNSG \
    --name allow-oracle \
    --protocol tcp \
    --priority 1001 \
    --source-port-range 1521

Apply

one VM

Associate the Network Security Group with one VM's network interface (NIC). For all VM in a subnet, see below.

az network nic update \
    --resource-group myResourceGroup \
    --name myNic \
    --network-security-group myNetworkSecurityGroup

all VM in a Subnet

associate your Network Security Group with a virtual network subnet (ie all machine in this subnet)

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --network-security-group myNetworkSecurityGroup





Discover More
Card Puncher Data Processing
Azure - Networking

Networking in Azure A network security group (NSG) is a collection of firewall rules that can be applied to a machine. ...
Card Puncher Data Processing
Azure - Nic

in Azure Get the Nic id from the VM Associate the Network Security Group to a VM Get the Network Security Group Id



Share this page:
Follow us:
Task Runner