Home Azure Networking Network Security Groups
Last updated: May 2026
Azure Networking Beginner AZ-104 ⏱ 14 min read

Network Security Groups (NSG)

A Network Security Group (NSG) is Azure's virtual firewall — a set of rules that filter network traffic to and from Azure resources. NSGs are one of the most fundamental and frequently tested topics in AZ-104. Every production resource should have an NSG, and understanding how rules interact, how priority works, and how to troubleshoot connectivity issues with NSGs is essential for real-world Azure.

What you'll learn What NSGs are and how they work · Inbound and outbound rules · Rule properties — priority, protocol, ports, source/destination · Default rules that exist in every NSG · Applying NSGs to subnets and NICs · Traffic evaluation order · Application Security Groups (ASG) · Effective security rules · Creating NSGs via CLI
Table of Contents
  1. What is an NSG?
  2. Rule Properties
  3. Default Rules
  4. Applying NSGs
  5. Traffic Evaluation
  6. Application Security Groups (ASG)
  7. Effective Security Rules
  8. Creating and Managing NSGs
  9. Common NSG Rule Examples
  10. Practice Questions

What is an NSG?

An NSG is a list of security rules that allow or deny inbound and outbound network traffic. Rules are evaluated in priority order. The first matching rule wins — processing stops at that rule.

ℹ️
NSG is Stateful NSGs are stateful — if you allow inbound traffic on a port, the return traffic (outbound response) is automatically allowed. You don't need to create both inbound and outbound rules for a single connection.

Rule Properties

Every NSG rule has these properties:

PropertyDescriptionExamples
Priority100–4096. Lower = higher priority. First match wins.100, 200, 300...
NameDescriptive rule nameAllow-HTTP, Deny-SSH
ProtocolTCP, UDP, ICMP, or Any (*)TCP
SourceIP, CIDR, Service Tag, or ASG10.0.1.0/24, Internet, VirtualNetwork
Source PortPort or range (usually * for inbound)*, 1024-65535
DestinationIP, CIDR, Service Tag, or ASG10.0.2.0/24, VirtualNetwork
Destination PortPort or range80, 443, 3389, 22, 80-443
ActionAllow or DenyAllow, Deny

Service Tags

Service Tags are named groups of IP address prefixes managed by Microsoft. They simplify rules by representing groups of Azure services without requiring you to know specific IP ranges:

Service TagRepresents
InternetPublic internet
VirtualNetworkVNet address space + connected networks
AzureLoadBalancerAzure Load Balancer health probe IPs
StorageAzure Storage service IPs
SqlAzure SQL Database IPs
AzureMonitorAzure Monitor service IPs

Default Rules

Every NSG has three default rules that cannot be deleted — only overridden by higher-priority rules:

Default Inbound Rules

PriorityNameSourceDestinationAction
65000AllowVnetInBoundVirtualNetworkVirtualNetworkAllow
65001AllowAzureLoadBalancerInBoundAzureLoadBalancerAnyAllow
65500DenyAllInBoundAnyAnyDeny

Default Outbound Rules

PriorityNameSourceDestinationAction
65000AllowVnetOutBoundVirtualNetworkVirtualNetworkAllow
65001AllowInternetOutBoundAnyInternetAllow
65500DenyAllOutBoundAnyAnyDeny
💡
Key Insight By default, all inbound traffic from the internet is blocked (DenyAllInBound at 65500). All outbound traffic to the internet is allowed (AllowInternetOutBound at 65001). All VNet-to-VNet traffic is allowed in both directions. This is why you need to add rules to allow inbound HTTP/SSH/RDP.

Applying NSGs

NSGs can be applied at two levels:

Subnet Level

Applies to all traffic entering/leaving the subnet. All resources in the subnet are subject to the rules. Best for applying consistent policies to a tier (e.g., all web servers).

NIC Level

Applies to traffic for a specific VM's network interface. Allows per-VM rules in addition to subnet-level rules.

ℹ️
Both Subnet and NIC NSGs If both a subnet NSG and a NIC NSG exist, traffic must pass BOTH for inbound: subnet NSG first, then NIC NSG. For outbound: NIC NSG first, then subnet NSG. Both must allow the traffic.

Traffic Evaluation

For inbound traffic to a VM:

  1. Traffic hits the subnet NSG first
  2. Rules evaluated in priority order (lowest number first)
  3. First matching rule is applied — processing stops
  4. If allowed, traffic proceeds to the NIC NSG
  5. NIC NSG rules evaluated in same way
  6. If allowed by both, traffic reaches the VM

Application Security Groups (ASG)

ASGs let you group VMs logically and use those groups in NSG rules instead of IP addresses. This makes rules readable and maintainable — especially as your infrastructure grows.

Azure CLI Create ASGs and use in NSG rules 
# Create ASGs
az network asg create --name WebServers --resource-group myRG --location centralindia
az network asg create --name AppServers --resource-group myRG --location centralindia
az network asg create --name DbServers  --resource-group myRG --location centralindia

# Associate VM NIC with ASG
az network nic ip-config update \
  --resource-group myRG \
  --nic-name vm-web-nic \
  --name ipconfig1 \
  --application-security-groups WebServers

# Create NSG rule using ASGs
az network nsg rule create \
  --resource-group myRG \
  --nsg-name myNSG \
  --name Allow-Web-to-App \
  --priority 200 \
  --source-asgs WebServers \
  --destination-asgs AppServers \
  --destination-port-ranges 8080 \
  --protocol TCP \
  --access Allow

Effective Security Rules

When troubleshooting connectivity, check the Effective Security Rules for a NIC — it shows the combined result of both the subnet NSG and NIC NSG, making it easy to see exactly what is allowed and denied.

In the Azure Portal: VM → Networking → Network Interface → Effective security rules

Creating and Managing NSGs

Azure CLI Create NSG with common rules 
# Create NSG
az network nsg create \
  --resource-group myRG \
  --name web-nsg \
  --location centralindia

# Allow HTTP inbound
az network nsg rule create \
  --resource-group myRG \
  --nsg-name web-nsg \
  --name Allow-HTTP \
  --priority 100 \
  --source-address-prefixes Internet \
  --destination-port-ranges 80 \
  --protocol TCP \
  --access Allow

# Allow HTTPS inbound
az network nsg rule create \
  --resource-group myRG \
  --nsg-name web-nsg \
  --name Allow-HTTPS \
  --priority 110 \
  --source-address-prefixes Internet \
  --destination-port-ranges 443 \
  --protocol TCP \
  --access Allow

# Attach NSG to subnet
az network vnet subnet update \
  --resource-group myRG \
  --vnet-name myVNet \
  --name web-subnet \
  --network-security-group web-nsg

Common NSG Rule Examples

Use CaseDirectionPortProtocolSource
Allow web trafficInbound80, 443TCPInternet
Allow SSH (Linux VMs)Inbound22TCPYour IP or Bastion subnet
Allow RDP (Windows VMs)Inbound3389TCPYour IP or Bastion subnet
Allow app tier from web tierInbound8080TCPWeb subnet CIDR
Allow SQL from app tierInbound1433TCPApp subnet CIDR
Deny all other inboundInbound**Any
💡
AZ-104 Exam Tip Know the three default inbound rules (VNet allow, LB allow, deny all) and default outbound rules (VNet allow, Internet allow, deny all). Know that lower priority number = higher precedence. Know that NSGs are stateful. Know that both subnet and NIC NSGs must allow traffic for it to reach a VM.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. An NSG has two inbound rules: Priority 100 — Allow TCP port 80 from Internet, and Priority 200 — Deny TCP port 80 from Internet. What happens to HTTP traffic?
A HTTP traffic is allowed — Priority 100 Allow rule matches first
B HTTP traffic is denied — the Deny rule overrides the Allow rule
C HTTP traffic is dropped — conflicting rules cancel each other out
D HTTP traffic is blocked until the conflict is manually resolved
Q2. By default (without custom rules), can a VM in Azure access the internet (outbound)?
A Yes — the default AllowInternetOutBound rule allows all outbound internet traffic
B No — all outbound traffic is denied by default
C Only if a custom Allow rule is created for port 443
D Only if the VM has a public IP address
Q3. A VM has both a subnet NSG and a NIC NSG. The subnet NSG allows inbound port 80, but the NIC NSG has no rule for port 80 (only the default deny-all). Can HTTP traffic reach the VM?
A Yes — the subnet NSG allow rule is sufficient
B No — traffic must pass both NSGs; the NIC NSG denies it
C Yes — Azure merges the rules from both NSGs automatically
D Yes — NIC NSG rules take precedence over subnet NSG rules
Q4. What is the purpose of Application Security Groups (ASG)?
A To encrypt traffic between application tiers
B To group VMs logically so they can be used as source/destination in NSG rules instead of IP addresses
C To automatically scale VMs based on traffic patterns
D To load balance traffic between VMs in the same tier
Q5. What is the priority range for custom NSG rules?
A 100 to 4096
B 1 to 100
C 1000 to 65000
D Any number — no limit
Related Topics
Azure Networking Virtual Networks (VNet) Azure Networking Subnets & IP Addressing Azure Networking Azure Firewall
← Previous Subnets & IP Addressing
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.