In this post, I'll walk you through how to list and create Azure network security groups (NSGs) with PowerShell. In the next post, I will dive deeper and cover advanced NSG features such as augmented security rules, service tags, and application security rules.

Network Security Groups (NSGs) in Azure control network traffic for Azure services. An NSG consists of a set of inbound and outbound firewall rules. You can flexibly configure these rules to allow or deny access to services and then associate them to subnets, virtual machines (VMs), or network interfaces.

Each subnet, VM, or network interface can have only one associated NSG at a time, while you can associate an NSG with multiple resources. That's why it is important to place VMs and other services in appropriate subnets before attaching them to NSGs. It is also important to note that you can only associate NSGs with resources within the same region as the NSG. You can associate resources in any resource groups with NSGs sitting in different resource groups.

The following Azure limits apply for NSGs per region per subscription.

Azure NSG limits

Azure NSG limits

Network Security Group configuration in Azure

Network Security Group configuration in Azure

Listing NSGs and rules ^

The following command can list existing NSGs in a subscription:

Get-AzureRmNetworkSecurityGroup | Select Name, Location, ResourceGroupName
Listing Network Security Groups

Listing Network Security Groups

We can use the following command to list all rules in a specific NSG in detail:

Get-AzureRmNetworkSecurityGroup -Name OnurNSG -ResourceGroupName 4SYSOPS | select ‑ExpandProperty SecurityRules
Listing security rules in an NSG

Listing security rules in an NSG

If we'd like to find the NSG to which a specific subnet is associated, we can use the following commands:

$VNet=Get-AzureRmVirtualNetwork -Name "OnurTestVNET" -ResourceGroupName 4SYSOPS
$VNet | select -ExpandProperty Subnets | select name, @{label="NSG_ID";expression={$_.NetworkSecurityGroup.id}} | fl
Listing a Subnet NSG association

Listing a Subnet NSG association

It is also quite similar to get network interfaces or subnets associated to a specific NSG:

Listing subnets and interfaces associated with an NSG

Listing subnets and interfaces associated with an NSG

Default rules ^

Creating a new NSG automatically creates the following default rules for inbound and outbound access, which you cannot delete.

Default rules of an NSG

Default rules of an NSG

We can list default security rules using the following command:

Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS | select ‑ExpandProperty DefaultSecurityRules | select name,description
Listing default security rules

Listing default security rules

Creating and modifying NSGs ^

To create a new NSG, you can use the following command:

New-AzureRmNetworkSecurityGroup -Name TestNSG3 -ResourceGroupName 4SYSOPS -Location NorthEurope
Creating a new NSG

Creating a new NSG

This command just creates an empty NSG with default rules. Therefore, we need to create rules in the NSG. The following example shows how to create a rule to allow HTTPS access from the internet.

$nsg=Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Allow_HTTPS -Description "Allow port 443 for secure webserver access" -Access Allow -Protocol Tcp -Direction Inbound ‑Priority 110 -SourceAddressPrefix Internet -SourcePortRange 443 ‑DestinationAddressPrefix * -DestinationPortRange 443 | Set-AzureRmNetworkSecurityGroup

Executing the Set-AzureRmNetworkSecurityGroup command updates the NSGs.

Modifying an NSG

Modifying an NSG

After creating an outbound rule for an IP address over any port in an NSG, it is not necessary to create an inbound rule for the same IP address over the same port. For example, if you want to allow a VM to communicate with an external IP address over port 443, it will be sufficient to create only an outbound rule over port 443 to the IP address.

You don't really need to create a separate inbound rule to allow the external source to respond to the connection because the VM initiates the communication, not the external source. If initiating the connection request from an external source, you would need to create an inbound rule explicitly to allow the communication to the VM.

We can also remove a rule in an NSG with the following command:

$nsg=Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS$nsg | Remove-AzureRmNetworkSecurityRuleConfig -Name Allow_HTTPS | Set-AzureRmNetworkSecurityGroup

To remove an NSG, we can use this command:

Remove-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG3
Removing an NSG

Removing an NSG

Associating NSGs to resources ^

Once we've configured NSGs with desired rule sets, we can move on to associate them with appropriate resources such as VMs, subnets, or network interface cards (NICs).

Use the following commands to associate an existing NSG to a specified subnet:

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName 4SYSOPS -Name OnurTestVNet
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name WebServer_Subnet
$nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG2
$subnet.NetworkSecurityGroup = $nsg
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

To disassociate an NSG from a subnet, use the following:

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName 4SYSOPS -Name OnurTestVNet
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name WebServer_Subnet
$subnet.NetworkSecurityGroup = $null
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

You can use the following to associate an existing NSG to an NIC:

$nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG2
$nic = Get-AzureRmNetworkInterface -ResourceGroupName 4SYSOPS -Name TestNIC
$nic.NetworkSecurityGroup = $nsg
Set-AzureRmNetworkInterface -NetworkInterface $nic

To disassociate an NSG from a NIC, use:

Subscribe to 4sysops newsletter!

$nic = Get-AzureRmNetworkInterface -ResourceGroupName 4SYSOPS -Name TestNIC
$nic.NetworkSecurityGroup = $null
Set-AzureRmNetworkInterface -NetworkInterface $nic

Conclusion ^

We've seen how to manage NSGs and perform common tasks using PowerShell. In my next post, I will look at advanced NSG features such as augmented security rules, service tags, and application security rules.

4 Comments
  1. Arjun Bahree 5 years ago

    NSG’s in Azure cannot be attached to Azure RM VMs, but only with NICs and Subnets under the new Azure RM model. They can be only attached to Azure Classic VMs, which is not supported under the new ARM model.

    avatar
  2. Author
    Baki Onur Okutucu 5 years ago

    Thanks for pointing out that Arjun.

    Yeah, that’s correct, in the ARM model VMs cannot be associated directly to NSGs. On the other hand, a preview feature named Application Security Group (ASG) enables us to group NICs already attached to VMs in order to create computer groups such as WebServerVMs, DBServerVMs etc. This way, we can indirectly specify group of VMs in NSG rules as a source or a destination.

  3. akshay 3 years ago

    how to check nsg with associates in powershell?

  4. David 2 months ago

    How would you add multiple inbound and outbound rules to an NSG in one PowerShell Script?

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account