Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Azure / Azure Stack – IaaS VM ARM Network Security Group

An important feature in the new Azure Resource Manager API for Virtual Machine Services are the Network Security Groups. But why are they so important?

At the end of June Microsoft announced the general availability for the Azure Virtual Machine services in Azure Resource Manager and with this announcement the new Azure VM services will become more popular.

-> http://azure.microsoft.com/en-us/updates/general-availability-azure-virtual-machine-services-in-azure-resource-manager/

Let us call the current VM services in Azure v1 and the new VM services v2. If you deploy a VM with a public IP via ARM you will discover an essential difference between v1 and v2. A v1 VM is running under a Cloud Service and has endpoints defined. Without an endpoint a v1 VM is not accessible through the public IP. A v2 VM does not run under a Cloud Service and has no endpoints, so the v2 VM is directly accessible through the public IP interface. The only instance that allows incoming traffic is the Windows Firewall of the VM itself. Here comes the Network Security Group into play.

The Network Security Group is a more flexible solution to define inbound and outbound rules for the network traffic. You can assign Network Security Groups to a specific NIC that is assigned to a VM or you can assign NSGs to a Virtual Network Subnet.

If you have not defined a NSG in your ARM JSON template I strongly recommend to create a NSG afterwards through the Azure PowerShell cmdlets and define a RDP inbound rule for accessing the VM. Afterwards you attach the NSG to the NIC of the VM to add the extra boundary.


New-AzureNetworkSecurityGroup -Name “Azure-Stack-NSG” -ResourceGroupName $ResourceGroupName -Location $Location

Set-AzureNetworkSecurityRuleConfig -Name “Azure-Stack-RDP” -NetworkSecurityGroup $NSG -Description “RDP Access” -Protocol “Tcp” -SourcePortRange “*” -SourceAddressPrefix “Internet” -DestinationPortRange “3389” –DestinationAddressPrefix “” -Access “Allow” -Priority 4096 -Direction “Inbound”

Set-AzureNetworkSecurityGroup -NetworkSecurityGroup $NSG

As you can see it is very easy to create the NSG afterwards. The final step is, as I said, to attach the NSG to the NIC. You can do that through the NSG settings or through the NIC settings via the Azure Preview Portal.


Last step to apply the NSG settings to the NIC of the VM is a reboot of the VM itself.

For a comparison between the v1 VM capabilities and the v2 VM capabilities have a look at the following Azure documentation.

-> https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-azurerm-versus-azuresm/

WordPress Cookie Notice by Real Cookie Banner