- Create and manage append blobs with PowerShell - Wed, Oct 12 2022
- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
Network Security Groups (NSGs) in Azure control network traffic for Azure services. An NSG consists of a set of inbound and outbound firewall rules. You can flexibly configure these rules to allow or deny access to services and then associate them to subnets, virtual machines (VMs), or network interfaces.
Each subnet, VM, or network interface can have only one associated NSG at a time, while you can associate an NSG with multiple resources. That's why it is important to place VMs and other services in appropriate subnets before attaching them to NSGs. It is also important to note that you can only associate NSGs with resources within the same region as the NSG. You can associate resources in any resource groups with NSGs sitting in different resource groups.
The following Azure limits apply for NSGs per region per subscription.
Azure NSG limits
Network Security Group configuration in Azure
Listing NSGs and rules
The following command can list existing NSGs in a subscription:
Get-AzureRmNetworkSecurityGroup | Select Name, Location, ResourceGroupName
Listing Network Security Groups
We can use the following command to list all rules in a specific NSG in detail:
Get-AzureRmNetworkSecurityGroup -Name OnurNSG -ResourceGroupName 4SYSOPS | select ‑ExpandProperty SecurityRules
Listing security rules in an NSG
If we'd like to find the NSG to which a specific subnet is associated, we can use the following commands:
$VNet=Get-AzureRmVirtualNetwork -Name "OnurTestVNET" -ResourceGroupName 4SYSOPS
$VNet | select -ExpandProperty Subnets | select name, @{label="NSG_ID";expression={$_.NetworkSecurityGroup.id}} | fl
Listing a Subnet NSG association
It is also quite similar to get network interfaces or subnets associated to a specific NSG:
Listing subnets and interfaces associated with an NSG
Default rules
Creating a new NSG automatically creates the following default rules for inbound and outbound access, which you cannot delete.
Default rules of an NSG
We can list default security rules using the following command:
Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS | select ‑ExpandProperty DefaultSecurityRules | select name,description
Listing default security rules
Creating and modifying NSGs
To create a new NSG, you can use the following command:
New-AzureRmNetworkSecurityGroup -Name TestNSG3 -ResourceGroupName 4SYSOPS -Location NorthEurope
Creating a new NSG
This command just creates an empty NSG with default rules. Therefore, we need to create rules in the NSG. The following example shows how to create a rule to allow HTTPS access from the internet.
$nsg=Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS $nsg | Add-AzureRmNetworkSecurityRuleConfig -Name Allow_HTTPS -Description "Allow port 443 for secure webserver access" -Access Allow -Protocol Tcp -Direction Inbound ‑Priority 110 -SourceAddressPrefix Internet -SourcePortRange 443 ‑DestinationAddressPrefix * -DestinationPortRange 443 | Set-AzureRmNetworkSecurityGroup
Executing the Set-AzureRmNetworkSecurityGroup command updates the NSGs.
Modifying an NSG
After creating an outbound rule for an IP address over any port in an NSG, it is not necessary to create an inbound rule for the same IP address over the same port. For example, if you want to allow a VM to communicate with an external IP address over port 443, it will be sufficient to create only an outbound rule over port 443 to the IP address.
You don't really need to create a separate inbound rule to allow the external source to respond to the connection because the VM initiates the communication, not the external source. If initiating the connection request from an external source, you would need to create an inbound rule explicitly to allow the communication to the VM.
We can also remove a rule in an NSG with the following command:
$nsg=Get-AzureRmNetworkSecurityGroup -Name TestNSG -ResourceGroupName 4SYSOPS$nsg | Remove-AzureRmNetworkSecurityRuleConfig -Name Allow_HTTPS | Set-AzureRmNetworkSecurityGroup
To remove an NSG, we can use this command:
Remove-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG3
Removing an NSG
Associating NSGs to resources
Once we've configured NSGs with desired rule sets, we can move on to associate them with appropriate resources such as VMs, subnets, or network interface cards (NICs).
Use the following commands to associate an existing NSG to a specified subnet:
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName 4SYSOPS -Name OnurTestVNet $subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name WebServer_Subnet $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG2 $subnet.NetworkSecurityGroup = $nsg Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
To disassociate an NSG from a subnet, use the following:
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName 4SYSOPS -Name OnurTestVNet $subnet = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name WebServer_Subnet $subnet.NetworkSecurityGroup = $null Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
You can use the following to associate an existing NSG to an NIC:
$nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName 4SYSOPS -Name TestNSG2 $nic = Get-AzureRmNetworkInterface -ResourceGroupName 4SYSOPS -Name TestNIC $nic.NetworkSecurityGroup = $nsg Set-AzureRmNetworkInterface -NetworkInterface $nic
To disassociate an NSG from a NIC, use:
Subscribe to 4sysops newsletter!
$nic = Get-AzureRmNetworkInterface -ResourceGroupName 4SYSOPS -Name TestNIC $nic.NetworkSecurityGroup = $null Set-AzureRmNetworkInterface -NetworkInterface $nic
Conclusion
We've seen how to manage NSGs and perform common tasks using PowerShell. In my next post, I will look at advanced NSG features such as augmented security rules, service tags, and application security rules.
NSG’s in Azure cannot be attached to Azure RM VMs, but only with NICs and Subnets under the new Azure RM model. They can be only attached to Azure Classic VMs, which is not supported under the new ARM model.
Thanks for pointing out that Arjun.
Yeah, that’s correct, in the ARM model VMs cannot be associated directly to NSGs. On the other hand, a preview feature named Application Security Group (ASG) enables us to group NICs already attached to VMs in order to create computer groups such as WebServerVMs, DBServerVMs etc. This way, we can indirectly specify group of VMs in NSG rules as a source or a destination.
how to check nsg with associates in powershell?
How would you add multiple inbound and outbound rules to an NSG in one PowerShell Script?