Network Security Groups can be applied to a VM or subnet, and in some cases to both.  In certain cases (e.g. turning a VM into a DMZ), it may be better to have individual Network Security groups attached to VM with precise rules for controlling traffic to that VM.

I already use Endpoint ACLs on my VM endpoints, can I also use Network Security Groups?

  • No, you can use only either of Endpoint ACLs or Network Security Groups. You can remove the endpoint ACLs from the VM and associate the VM to a Network Security Group.

I have multiple NICs in my VM, will the Network Security Group rules apply to traffic on all the NICs?

  • No, the Network Security Group rules apply only to the traffic in primary NIC. In future we will add capability to associate a Network Security Group to a NIC directly.

I created a Network Security Group, what are my next steps?

After you have created a Network Security group, look at the default rules by running the command:

  • Get-AzureNetworkSecurityGroup -Name "MyVNetSG" -Detailed

This shows you the default rules. As a next step associate the Network Security group to a VM or subnet. Add more rules to control the network traffic on the entity. Watch the rules to take effect within a few minutes (it is usually seconds).

I have defined RDP endpoint for my VM and I am using a Network Security Group do I need  a Access control rule to connect to the RDP port from Internet?

  • Yes, the default rules in Network Security Group does not allow access to any port from Internet, the users have to create a specific rule to allow RDP traffic.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin