Network Security Groups In Azure Networking


Network Security Group (NSG) is just a group of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with the following.

  1. Virtual Machines - the rules get applied only to the Virtual Machine to which it is associated.
  2. Subnets - In this case, the rules get applied to all the Virtual Machines associated with the Subnet.

When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet. In addition, traffic to an individual VM can be restricted further by associating an NSG, directly to that VM.

In this article, we will learn how to create an NSG group and the default Inbound and Outbound rules which get created by default, when you create an NSG.

Let’s get started using Azure Management Portal.

Click on Network Security Group in the menu, as shown below.

You will be taken to the Network Security Group blade where you see all the existing NSGs. As shown in the below screen, click on “Add” button.

You will be taken to the following blade.

Provide a meaningful name for the NSG. In your production scenarios with different environments and multiple servers, you might have to create multiple NSGs. Please be cautious in naming the NSGs. Select the Subscription, Resource Group, and Location, based on your requirements.

Now, clicking on “Create” button will create the NSG, as shown in the below screenshot.

Given below is the NSG’s Overview blade which provides the basic details of NSG that we have just created.

Let’s review the default Inbound Security and Outbound Security rules getting created automatically. Though the above screen shows that the count of both type of rules is Zero (0), there are three Inbound and three outbound default rules that get created when you create a Network Security Group.

Click on Inbound security rules or Outbound security rules box to navigate to the respective Rules Blade, as shown below.

Default Inbound Rules

Below is the table that provides details about the default rules.

Rule Name Description
AllowVnetInBound Allow Inbound traffic coming from any VM to any VM within the VNet
AllowAzureLoadBalancerInBound Allow traffic from the default Load Balancer to any VM within the VNet
DenyAllInBound Deny traffic from any external Source to any of the VMs

Default Outbound Rules

Rule Name Description
AllowVnetOutBound Allow Outbound traffic going from any VM to any VM within VNet
AllowInternerOutBound Allow Outbound traffic going to internet from any VM
DenyAllOutBound Deny traffic from any Internal VM to any other system outside VNet

Please note that you cannot delete these default rules.


You have learned the following.

  1. What is a Network Security Group
  2. Where can we use Network Security Group
  3. Default Inbound and Outbound Rules that get created when you create a Network Security Group.

You can read the original article here.