How to Configure Azure Network Security Group (NSG) Rules in Azure Portal?

What is Azure Network Security Group?

Azure Network Security Groups (NSGs) are a feature of Azure Virtual Networks (VNets) that allow administrators to control inbound and outbound network traffic to and from Azure resources. NSGs are a key component of Azure's network security strategy and can be used to help secure your workloads and applications running in Azure.

NSGs are used to define access control lists (ACLs) that can be applied to one or more virtual machines or subnets within a VNet. It can be used to secure traffic within a VNet or between the VNets and the internet. They can also be used in conjunction with Azure Firewall, a managed firewall service that provides additional security capabilities such as application-level rules and threat intelligence. It can also be used in conjunction with Azure Virtual Network (VNet) Peering, which allows you to connect two or more Azure VNets together, and Azure ExpressRoute, which allows you to connect your on-premises infrastructure to Azure via a dedicated, private connection.

Create a NSG in Azure

Step 1:  Log in to the Azure Portal (https://portal.azure.com/)

Step 2:  In the azure global search bar, type "Network security group" and select it from the results.

Step 3: Now click on Create Network security group (NSG)

In the "Basics" tab, enter the following information:

  • Subscription: Select the subscription you want to use.
  • Resource group: Select an existing resource group or create a new one.
  • Name: Enter a name for the NSG.
  • Location: Select the region where you want the NSG to be created.
Step 4: Click on the "Review + create" button to review your settings.

Step 5: Click on the "Create" button to begin creating the NSG.

Once the NSG is created, you can add security rules to it by following configure NSG rules.

Configure NSG Rules

Step 1: Go to the "Network security groups" page in the Azure Portal

Step 2: Click on the NSG you just created.

Step 3: In the "Overview" tab, click on the "Add inbound rule" or "Add outbound rule" button.

Step 4: In the "Add inbound security rule" or "Add outbound security rule" pane, configure the settings for the rule:
  • Name: Enter a name for the rule.
  • Priority: Enter a priority number for the rule. Lower numbers have higher priority.
  • Protocol: Select the protocol for the rule (TCP, UDP, or Any).
  • Source: Select the source IP address or address range for the rule.
  • Destination: Select the destination IP address or address range for the rule.
  • Destination port: Select the destination port or port range for the rule.
  • Action: Select the action to take when the rule is matched (Allow or Deny).
Step 5: Click on the "Add" button to create the rule.

Note: You can repeat steps 3-5 to add more rules to the NSG.

Check out some examples here:

Add an inbound network security group rule with destination port 3389 to allow RDP access.

  • Name: AllowRDPInbound
  • Port: 3389
  • Protocol: TCP
  • Source: Virtual Network
  • Destination: Virtual Network
  • Action: Allow
  • Priority: 100

Add an inbound network security group rule with destination port 22 to allow SSH access:

  • Name: AllowSSHInbound
  • Port: 22
  • Protocol: TCP
  • Source: Virtual Network
  • Destination: Virtual Network
  • Action: Allow
  • Priority: 200

Add an inbound network security group rule with destination port 443 to allow HTTPS access:

  • Name: AllowPort443Inbound
  • Port: 443
  • Protocol: TCP
  • Source: Virtual Network
  • Destination: Virtual Network
  • Action: Allow
  • Priority: 300

Add an inbound network security group rule with destination port 80 to allow HTTP access:

  • Name: AllowPort80Inbound
  • Port: 80
  • Protocol: TCP
  • Source: Virtual Network
  • Destination: Virtual Network
  • Action: Allow
  • Priority: 400

Add an inbound network security group rule to allow Azure Monitor access:

  • Name: AllowAzureMonitorInbound
  • Port: *
  • Protocol: *
  • Source: AzureMonitor
  • Destination: Virtual Network
  • Action: Allow
  • Priority: 500

Deny all Inbound Access:

  • Name: DenyAllInBound
  • Port: *
  • Protocol: *
  • Source: *
  • Destination: *
  • Action: Deny
  • Priority: 600
You can add many more inbound or outbound network security group rule to control and restrict the access of the services

Associate a NSG to a Subnet in Azure:

Step 1: Login to Azure Portal >> Navigate to Network Security Groups >> select your target NSG

Step 2: After selecting the NSG >> From page menu select Subnets >> Click on Associate. 

That's it you are done assigning an NSG to a subnet in Azure Portal.