Network Security Groups (NSGs) control inbound and outbound network traffic to resources inside an Azure Virtual Network (VNet). An NSG contains ordered security rules that explicitly allow or deny traffic based on source, destination, protocol, and port.

Where you can associate an NSG

Subnet — applies rules to all resources within the subnet.
Network interface (NIC) — applies rules to a single virtual machine or NIC.

An NSG can be associated with multiple subnets and NICs so the same policy can be reused across resources. When an NSG is applied at both the subnet and NIC level, traffic must be allowed by both NSGs to traverse to the VM.

How NSG rules are evaluated

Rules are evaluated in order of their numeric priority (lower number = higher precedence). Azure also enforces built-in system rules that provide default behavior; these cannot be deleted but can be effectively overridden by higher-precedence custom rules.

Resource association	Effect
Subnet	Controls traffic for all resources in that subnet (applies to traffic entering/exiting the subnet).
NIC	Controls traffic for the specific VM’s network interface (applies after subnet rules).

Common rule properties

Property	Description	Example
priority	Numeric order for evaluation. Lower numbers take precedence.	`100`, `200`
name	Unique identifier for the rule within the NSG.	`Allow-SSH-From-AdminNet`
protocol	TCP, UDP, or `*` (Any).	`TCP`
port(s)	Single port or range.	`22`, `3389`, `80-443`
source	CIDR IP range, service tag, or Application Security Group (ASG).	`203.0.113.0/24`, `Internet`, `VirtualNetwork`
destination	CIDR, service tag, or ASG.	`10.0.1.0/24`, `ApplicationGateway`
action	Allow or Deny	`Allow`

A slide titled "NSG Rules" showing tables of inbound and outbound Azure network security group rules with columns for Priority, Name, Port, Protocol, Source, Destination and Action (Allow/Deny). Example entries include an RDP_Inbound rule for port 3389 and default Allow/Deny rules for VirtualNetwork, AzureLoadBalancer and Internet.

Default system rules

Azure NSGs include built-in rules that provide baseline connectivity. These default rules cannot be removed and have fixed priorities:

AllowVNet (service tag: VirtualNetwork) — permits traffic inside the VNet.
AllowAzureLoadBalancer (service tag: AzureLoadBalancer) — permits load balancer health probes.
AllowInternet / DenyAll (depending on direction) — controls internet access or denies remaining traffic.

Custom rules should be created with numeric priorities in the typical range 100–4096. Place more specific rules at higher precedence (lower numeric values) so they override broader defaults.

Default NSG rules provide the baseline and cannot be deleted. To override a default, create a custom rule with a lower numeric priority (higher precedence). Prefer service tags and Application Security Groups for flexible, maintainable rules instead of hard-coded IP addresses.

Service tags and Application Security Groups (ASGs)

Use service tags (e.g., VirtualNetwork, Internet, AzureLoadBalancer) and ASGs to simplify rule management:

Service tags represent a group of IP address prefixes for Azure services and are maintained by Microsoft.
ASGs group NICs or VMs by application role, allowing you to create rules that refer to the group instead of individual IPs.

These features reduce rule churn and improve readability of NSG rule sets.

Common use cases

Open a management port from a known IP range (e.g., RDP TCP 3389 or SSH TCP 22).
Restrict web tier access to only a load balancer or an application gateway.
Allow only specific application-to-application traffic using ASGs for micro-segmentation.

Example: create an NSG and add a rule

Azure CLI

# Create an NSG
az network nsg create \
  --resource-group MyResourceGroup \
  --name MyNSG

# Add an inbound rule to allow SSH from a specific IP range
az network nsg rule create \
  --resource-group MyResourceGroup \
  --nsg-name MyNSG \
  --name Allow-SSH-Admin \
  --priority 100 \
  --source-address-prefixes 203.0.113.0/24 \
  --destination-port-ranges 22 \
  --access Allow \
  --protocol Tcp \
  --direction Inbound

PowerShell

# Create NSG
New-AzNetworkSecurityGroup -ResourceGroupName "MyResourceGroup" -Name "MyNSG"

# Add a rule
$rule = New-AzNetworkSecurityRuleConfig -Name "Allow-SSH-Admin" `
  -Description "Allow SSH from admin network" -Access Allow -Protocol Tcp `
  -Direction Inbound -Priority 100 -SourceAddressPrefix "203.0.113.0/24" `
  -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 22

$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName "MyResourceGroup" -Name "MyNSG"
$nsg.SecurityRules.Add($rule)
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg

Be careful when adding restrictive rules (especially for management ports). Misconfigured NSG rules can lock you out of virtual machines. Always test rules with a low-risk host or allow a temporary breakpoint rule for your own IP before applying globally.

Best practices

Use least privilege: only open required ports and limit source ranges.
Prefer service tags and ASGs over static IPs.
Use clear, consistent naming conventions that include intent and scope (e.g., Allow-HTTP-From-ALB).
Keep rule sets minimal and remove obsolete rules.
Monitor and log traffic (Network Watcher, NSG flow logs) to validate rules and detect anomalies.

Links and references

With these concepts and examples, you can design NSG rule sets that meet both security and operational needs while remaining manageable and easy to audit.

Watch Video

NSG Effective Rules

Introduction

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​Where you can associate an NSG

​How NSG rules are evaluated

​Common rule properties

​Default system rules

​Service tags and Application Security Groups (ASGs)

​Common use cases

​Example: create an NSG and add a rule

​Best practices

​Links and references

Watch Video

Where you can associate an NSG

How NSG rules are evaluated

Common rule properties

Default system rules

Service tags and Application Security Groups (ASGs)

Common use cases

Example: create an NSG and add a rule

Best practices

Links and references