You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/network-security-groups-overview.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: virtual-network
6
6
author: asudbring
7
7
ms.service: azure-virtual-network
8
8
ms.topic: concept-article
9
-
ms.date: 07/09/2025
9
+
ms.date: 07/15/2025
10
10
ms.author: allensu
11
11
ms.reviewer: kumud
12
12
ms.custom: FY23 content-maintenance
@@ -28,15 +28,15 @@ A network security group contains network security rules as desired, within Azur
28
28
|---------|---------|
29
29
|Name | A unique name within the network security group. The name can be up to 80 characters long. It must begin with a word character, and it must end with a word character or with `_`. The name can contain word characters, `.`, `-`, or `\_`. |
30
30
|Priority | A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren't processed.</br> **Azure default security rules are given the lowest priority (highest number) to ensure your custom rules are always processed first.**|
31
-
|Source or destination | You can specify Any, an individual IP address, a CIDR block (for example, 10.0.0.0/24), a [service tag](#service-tags), or an [application security group](#application-security-groups). To specify a particular Azure resource, use the private IP address assigned to the resource. For inbound traffic, network security groups process traffic after Azure translates public IP addresses to private IP addresses. For outbound traffic, network security groups process traffic before translating private IP addresses to public IP addresses.</br> Enter a range, service tag, or application security group to reduce the number of security rules needed. Augmented security rules allow specifying multiple individual IP addresses and ranges in a single rule. However, you can't specify multiple service tags or application groups in a single rule. Augmented security rules are only available in network security groups created through the Resource Manager deployment model. In the classic deployment model, multiple IP addresses and ranges can't be specified in a single rule.</br> As an example, if the source is subnet 10.0.1.0/24 (where VM1 is located) and the destination is subnet 10.0.2.0/24 (where VM2 is located), the network security group filters traffic for VM2. This behavior occurs because the NSG is associated with VM2's network interface.|
31
+
|Source or destination | You can specify Any, an individual IP address, a CIDR block (for example, 10.0.0.0/24), a [service tag](#service-tags), or an [application security group](#application-security-groups). To specify a particular Azure resource, use the private IP address assigned to the resource. For inbound traffic, network security groups process traffic after Azure translates public IP addresses to private IP addresses. For outbound traffic, network security groups process traffic before translating private IP addresses to public IP addresses.</br> Enter a range, service tag, or application security group to reduce the number of security rules needed. Augmented security rules allow specifying multiple individual IP addresses and ranges in a single rule. However, you can't specify multiple service tags or application groups in a single rule. Augmented security rules are only available in network security groups created through the Resource Manager deployment model. In the classic deployment model, multiple IP addresses and ranges can't be specified in a single rule.</br> For example, if the source is subnet 10.0.1.0/24 (where VM1 is located) and the destination is subnet 10.0.2.0/24 (where VM2 is located), the network security group filters traffic for VM2. This behavior occurs because the NSG is associated with VM2's network interface.|
32
32
|Protocol | TCP, UDP, ICMP, ESP, AH, or Any. The ESP and AH protocols aren't currently available via the Azure portal but can be used via ARM templates. |
33
33
|Direction | Whether the rule applies to inbound or outbound traffic. |
34
34
|Port range | You can specify an individual port or ranges of ports. For example, you could specify 80 or 10000-10005; or for a mix of individual ports and ranges, you can separate them with commas, such as 80, 10000-10005. Specifying ranges and comma separation empowers you to create fewer security rules. Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. You can't specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model. |
35
35
|Action | Allow or deny your specified traffic. |
36
36
37
-
Security rules are evaluated and applied based on the five-tuple information of source, source port, destination, destination port, and protocol. You can't create two security rules with the same priority and direction, as this can introduce a conflict in how the system processes traffic. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true, where if inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.
37
+
Security rules are evaluated and applied based on the five-tuple information of source, source port, destination, destination port, and protocol. You can't create two security rules with the same priority and direction. Two security rules with the same priority and direction can introduce a conflict in how the system processes traffic. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.
38
38
39
-
When you remove a security rule that allowed a connection, existing connections remain uninterrupted. Network security group rules only affect new connections. New or updated rules in a network security group apply exclusively to new connections, leaving existing connections unaffected by the changes. For example, if you have an active SSH session to a virtual machine and then remove the security rule allowing that SSH traffic, your current SSH session will remain connected and functional. However, if you try to establish a new SSH connection after the security rule removal, that new connection attempt will be blocked.
39
+
When you remove a security rule that allowed a connection, existing connections remain uninterrupted. Network security group rules only affect new connections. New or updated rules in a network security group apply exclusively to new connections, leaving existing connections unaffected by the changes. For example, if you have an active SSH session to a virtual machine and then remove the security rule allowing that SSH traffic, your current SSH session remains connected and functional. However, if you try to establish a new SSH connection after the security rule removal, that new connection attempt will be blocked.
40
40
41
41
There are limits to the number of security rules you can create in a network security group and other properties of the network security group. For details, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits).
42
42
@@ -106,15 +106,15 @@ Application security groups enable you to configure network security as a natura
106
106
107
107
Security admin rules are global network security rules that enforce security policies onto virtual networks. Security admin rules originate from Azure Virtual Network Manager, a management service that enables network administrators to group, configure, deploy, and manage virtual networks globally across subscriptions.
108
108
109
-
Security admin rules always have a higher priority than network security group rules and thus are evaluated first. "Allow" security admin rules will continue for evaluation by matching network security group rules. "Always allow" and "Deny" security admin rules, however, terminate traffic evaluation after the security admin rule is processed. "Always allow" security admin rules send traffic directly to the resource, bypassing potentially conflicting network security group rules. "Deny" security admin rules block the traffic without delivering it to the destination, enforcing baseline security policy without risk of network security group conflict, misconfiguration, or introduction of security gaps. These security admin rule action types can be useful for enforcing traffic delivery and preventing conflicting or unintended behavior by downstream network security group rules.
109
+
Security admin rules always have a higher priority than network security group rules and thus are evaluated first. "Allow" security admin rules continue for evaluation by matching network security group rules. "Always allow" and "Deny" security admin rules, however, terminate traffic evaluation after the security admin rule is processed. "Always allow" security admin rules send traffic directly to the resource, bypassing potentially conflicting network security group rules. "Deny" security admin rules block the traffic without delivering it to the destination. These rules enforce baseline security policy without risk of network security group conflict, misconfiguration, or introduction of security gaps. These security admin rule action types can be useful for enforcing traffic delivery and preventing conflicting or unintended behavior by downstream network security group rules.
110
110
111
-
This behavior is important to understand, as traffic matching security admin rules of "Always allow" or "Deny" action types will not reach network security group rules for further evaluation. To learn more, see [Security admin rules](../virtual-network-manager/concept-security-admins.md).
111
+
This behavior is important to understand, as traffic matching security admin rules of "Always allow" or "Deny" action types don't reach network security group rules for further evaluation. To learn more, see [Security admin rules](../virtual-network-manager/concept-security-admins.md).
Flow timeout settings determine how long a flow record remains active before expiring. You can configure this setting using the Azure portal or through the command line. For more details, see [NSG flow logs overview](../network-watcher/nsg-flow-logs-overview.md?tabs=Americas#non-default-inbound-tcp-rules).
117
+
Flow timeout settings determine how long a flow record remains active before expiring. You can configure this setting using the Azure portal or through the command line. For more information, see [NSG flow logs overview](../network-watcher/nsg-flow-logs-overview.md?tabs=Americas#non-default-inbound-tcp-rules).
118
118
119
119
## Azure platform considerations
120
120
@@ -154,4 +154,4 @@ Flow timeout settings determine how long a flow record remains active before exp
154
154
155
155
* If you're having communication problems and need to troubleshoot network security groups, see [Diagnose a virtual machine network traffic filter problem](diagnose-network-traffic-filter-problem.md).
156
156
157
-
* Learn how to enable [virtual network flow logs](../network-watcher/vnet-flow-logs-overview.md) to analyze network traffic flowing through a virtual network that may match an associated network security group.
157
+
* Learn how to enable [virtual network flow logs](../network-watcher/vnet-flow-logs-overview.md) to analyze network traffic flowing through a virtual network that might match an associated network security group.
0 commit comments