Create an Azure Network Security Group using ARM PowerShell

Posted on June 2, 2016 by Russell Smith in Microsoft Azure with


In today’s Ask the Admin, I’ll show you how to create a Network Security Group in Azure using PowerShell.

A year ago I wrote a primer on creating Network Security Groups (NSGs) using PowerShell, which you can read on Petri here. NSGs differ from endpoint-based ACLs in that they can be applied to more than one VM by associating them with NICs or subnets. They also survive the lifecycle of VMs and are typically used to fence off Azure subnets from one another without needing to specify endpoint-based network ACLs for each VM in the subnet.

Microsoft’s new portal for Azure has been made generally available since I wrote the original article, and along with it a new deployment model called Azure Resource Manager (ARM). For a better understanding of ARM, see “What are Microsoft Azure Resource Groups?” on the Petri IT Knowledgebase.

And starting in Azure PowerShell 1.0, ARM has its own distinct cmdlets, which I’ll use in this demo to create a NSG. If you haven’t yet installed Azure PowerShell 1.0 or higher, read “Install Azure PowerShell 1.0 Preview” on Petri.

Before running the code below, you’ll need to have a Resource Group, virtual network (VNET) and subnet. If you don’t already have these resources deployed in your Azure subscription, see “Provision a domain using a Microsoft Azure Resource Manager template” on Petri, where I show you how to deploy a VM running Active Directory, including a Resource Group, VNET and subnet.

Create a Network Security Group

Let’s get started. Open Windows PowerShell ISE, and log in to your Microsoft account using the Login-AzureRmAccount cmdlet. Then run the rest of the code shown below to select an Azure subscription, Resource Group (RG), and to define a variable with a name for the new NSG.

By default, new NSG groups come with a set of default rules to allow inbound and outbound traffic from other VMs and load balancers in the same VNET. Any additional rules must be added manually.


In this example, I’ll add a rule, using the New-AzureRmNetworkSecurityRuleConfig cmdlet, to allow inbound RDP traffic on port 3389. Once the rule is configured, then I’ll create the new NSG using the New-AzureRmNetworkSecurityGroup cmdlet.

To view the NSG rule configuration, you can use the Get-AzureRmNetworkSecurityGroup cmdlet as shown here to display the default and custom security rules:

Azure Network Security Group (NSG) default rules (Image Credit: Russell Smith)

Azure Network Security Group (NSG) default rules (Image Credit: Russell Smith)

Finally, we need to associate the NSG with a subnet. The Get-AzureRmVirtualNetwork cmdlet is used to retrieve network information so that you can choose which subnet to associate with the NSG. It’s worth noting that the -NetworkSecurityGroup parameter of the Set-AzureRmVirtualNetworkSubnetConfig cmdlet must be a PowerShell object, and not a string.

Associating a NSG with an Azure subnet (Image Credit: Russell Smith)

Associating a NSG with an Azure subnet (Image Credit: Russell Smith)


In this article, I showed you how to create a new Network Security Group and add a custom security rule using ARM PowerShell cmdlets.



Tagged with , , ,

Register for this Webinar