How to manage Network Security Groups (NSG) in Azure

Share this:

Microsoft Azure allows the administrator to control the traffic in subnets using the Network Security Group (NSG) feature. In this Tutorial we are going over the basics and we will be creating, associating and adding rules to the NSG component.


For any new VM created in a subnet we will have by default these following network rules:

  • Traffic among subnets is allowed (no restrictions)
  • The VM will have RDP (using a random port) and PowerShell as shown in the image below
  • All VMs can access the Internet


A NSG can be applied to a subnet, or even a VM, however for this Tutorial we are going to apply to a subnet. Let’s use the following network scenario in our Tutorial were we have a subnet called AP-DMZ and we are going to deploy a few ADFS Proxy servers on that subnet.


You may be wondering, what is the difference between endpoint ACLs and NSGs, so the answer is simple the endpoint ACLs are applied only to the inbound traffic using the Public IP. Using NSG we can control inbound and outbound traffic.

How to create a NSG…

The first step is to connect to Windows Azure using PowerShell, if you don’t remember how to do this, please check this Tutorial out:

All NSG management is done through Powershell at this point, so from now on all the configuration will be done using PoweShell.

In order to create a NSG we just need to specify a name, datacenter location, and a label. The following cmdlet can be used:

New-AzureNetworkSecurityGroup –Name <nome-do-NSG> –Location <Local-do-Azure-Datacenter> –Label “ADFS Proxy DMZ NSG”


Associating a subnet…

In order to list all NSGs, we can run Get-AzureNetworkSecurityGroup and we can use piple “|” to associate the NSG to a specific subnet.

In the example below we are associating our subnet AP-DMZ to the new NSG that we have just created:

Get-AzureNetworkSecurityGroup –Name <NSG-Nome> | Set-AzureNetworkSecurityGroupToSubnet –VirtualNetworkName <Azure-NetworkName> –SubnetName <Subnet-Nome>


After associating a default NSG to a subnet all the existent endpoint will not work anymore, if you need to enable RDP or PowerShell they must be enabled at the NSG level using rules.

Creating a NSG rule…

Every NSG rule has a priority and they are applied from lower numbers to higher numbers. A rule is formed of several items (9 in total), such as: name, type, priority, souce ip address, source port range, destination ip range, destination port range, protocol, and access.

Using the following cmdlet we will allow 443 incoming traffic in our NSG:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-Internet-HTTPS -Type Inbound –Priority 100 –Action Allow –SourceAddressPrefix “INTERNET” –SourcePortRange * -DestinationAddressPrefix “” –DestinationPortRange 443 –Protocol TCP

Another example is listed below, in this one we are allowing RDP traffic from Windows Azure/On-premises network to our AP-DMZ subnet:

Get-AzureNetworkSecurityGroup –Name AZNA-NSG-DMZ | Set-AzureNetworkSecurityRule –Name IN-LAN-RDP-Type Inbound –Priority 120 –Action Allow –SourceAddressPrefix “VIRTUAL_NETWORK” –SourcePortRange * -DestinationAddressPrefix “” –DestinationPortRange 3389 –Protocol TCP

How to check the existent rules…

After creating all your rules you may have to maintain and document them. Using the following cmdlet we will have in a single glance all the rules in place for either inbound or outbound traffic.

Get-AzureNetworkSecurityGroup -Name “AZNA-NSG-DMZ” –Detailed


NSGs are a great resource to create DMZ and protect subnets in general when using Microsoft Azure.

Written by Anderson Patricio

Anderson Patricio is a Canadian Exchange Server MVP and MCSM (Solutions Master) and he contributes to the Microsoft Community with articles, tutorials, blog posts, forums and book reviews. He is a regular contributor at, and (Portuguese).