Azure Fundamentals · Lesson

Network Security Groups and Application Security Groups

Filter inbound and outbound traffic with NSG rules, and group VMs logically with Application Security Groups to simplify rule management.

What Is a Network Security Group?

A Network Security Group (NSG) acts as a virtual firewall for Azure resources. It contains a list of security rules that allow or deny inbound and outbound network traffic based on source IP, destination IP, port number, and protocol. NSGs can be associated with subnets (affecting all resources in the subnet) or with individual network interfaces (affecting a single VM). When both a subnet NSG and a NIC NSG exist, Azure evaluates both — for inbound traffic, the subnet NSG is applied first; for outbound, the NIC NSG is applied first.

# Create an NSG
az network nsg create \
  --resource-group myRG \
  --name myNSG

NSG Rule Structure

Each NSG rule has the following properties: Priority — a number between 100 and 4096; lower numbers are evaluated first. Source/Destination — an IP address, CIDR range, service tag, or application security group. Source/Destination Port — specific port numbers or ranges (e.g., 80, 443, 3389, or 1024-65535). Protocol — TCP, UDP, ICMP, or Any. Action — Allow or Deny. Rules are evaluated in priority order; the first matching rule wins. If no rule matches, the default rules apply: deny all inbound and allow all outbound traffic.

# Allow HTTPS inbound from the internet
az network nsg rule create \
  --resource-group myRG \
  --nsg-name myNSG \
  --name AllowHTTPS \
  --priority 110 \
  --direction Inbound \
  --source-address-prefixes Internet \
  --destination-port-ranges 443 \
  --protocol Tcp \
  --access Allow

All lessons in this course

Virtual Networks and Subnets
Network Security Groups and Application Security Groups
VNet Peering and Service Endpoints
Azure DNS and Load Balancer Essentials

← Back to Azure Fundamentals