In this post, I'll walk you through how to list and create Azure network security groups (NSGs) with PowerShell. In the next post, I will dive deeper and cover advanced NSG features such as augmented security rules, service tags, and application security rules.

Baki Onur Okutucu

Onur is a subject matter expert for Office 365, Azure, and PowerShell technologies. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For ten years in a row, Microsoft has recognized him as a Most Valuable Professional. You can follow Onur on Twitter: @BakiOnur.

Network Security Groups (NSGs) in Azure control network traffic for Azure services. An NSG consists of a set of inbound and outbound firewall rules. You can flexibly configure these rules to allow or deny access to services and then associate them to subnets, virtual machines (VMs), or network interfaces.

Each subnet, VM, or network interface can have only one associated NSG at a time, while you can associate an NSG with multiple resources. That's why it is important to place VMs and other services in appropriate subnets before attaching them to NSGs. It is also important to note that you can only associate NSGs with resources within the same region as the NSG. You can associate resources in any resource groups with NSGs sitting in different resource groups.

The following Azure limits apply for NSGs per region per subscription.

Azure NSG limits

Azure NSG limits

Network Security Group configuration in Azure

Network Security Group configuration in Azure

Listing NSGs and rules ^

The following command can list existing NSGs in a subscription:

Listing Network Security Groups

Listing Network Security Groups

We can use the following command to list all rules in a specific NSG in detail:

Listing security rules in an NSG

Listing security rules in an NSG

If we'd like to find the NSG to which a specific subnet is associated, we can use the following commands:

Listing a Subnet NSG association

Listing a Subnet NSG association

It is also quite similar to get network interfaces or subnets associated to a specific NSG:

Listing subnets and interfaces associated with an NSG

Listing subnets and interfaces associated with an NSG

Default rules ^

Creating a new NSG automatically creates the following default rules for inbound and outbound access, which you cannot delete.

Default rules of an NSG

Default rules of an NSG

We can list default security rules using the following command:

Listing default security rules

Listing default security rules

Creating and modifying NSGs ^

To create a new NSG, you can use the following command:

Creating a new NSG

Creating a new NSG

This command just creates an empty NSG with default rules. Therefore, we need to create rules in the NSG. The following example shows how to create a rule to allow HTTPS access from the internet.

Executing the Set-AzureRmNetworkSecurityGroup command updates the NSGs.

Modifying an NSG

Modifying an NSG

After creating an outbound rule for an IP address over any port in an NSG, it is not necessary to create an inbound rule for the same IP address over the same port. For example, if you want to allow a VM to communicate with an external IP address over port 443, it will be sufficient to create only an outbound rule over port 443 to the IP address.

You don't really need to create a separate inbound rule to allow the external source to respond to the connection because the VM initiates the communication, not the external source. If initiating the connection request from an external source, you would need to create an inbound rule explicitly to allow the communication to the VM.

We can also remove a rule in an NSG with the following command:

To remove an NSG, we can use this command:

Removing an NSG

Removing an NSG

Associating NSGs to resources ^

Once we've configured NSGs with desired rule sets, we can move on to associate them with appropriate resources such as VMs, subnets, or network interface cards (NICs).

Use the following commands to associate an existing NSG to a specified subnet:

To disassociate an NSG from a subnet, use the following:

You can use the following to associate an existing NSG to an NIC:

To disassociate an NSG from a NIC, use:

Conclusion ^

We've seen how to manage NSGs and perform common tasks using PowerShell. In my next post, I will look at advanced NSG features such as augmented security rules, service tags, and application security rules.

Are you an IT pro? Apply for membership!

3+
Share

Related Posts

2 Comments
  1. Arjun Bahree 11 months ago

    NSG's in Azure cannot be attached to Azure RM VMs, but only with NICs and Subnets under the new Azure RM model. They can be only attached to Azure Classic VMs, which is not supported under the new ARM model.

    1+

    Users who have LIKED this comment:

    • avatar
  2. Author
    Baki Onur Okutucu 11 months ago

    Thanks for pointing out that Arjun.

    Yeah, that's correct, in the ARM model VMs cannot be associated directly to NSGs. On the other hand, a preview feature named Application Security Group (ASG) enables us to group NICs already attached to VMs in order to create computer groups such as WebServerVMs, DBServerVMs etc. This way, we can indirectly specify group of VMs in NSG rules as a source or a destination.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2018

Log in with your credentials

or    

Forgot your details?

Create Account