Cannot create Inbound Security Rule in NSG

Question

Cannot create Inbound Security Rule in NSG

IT 110 0

I cannot add an inbound security rule to allow RDP in my Network security group. It's a simple rule from any source to any destination for RDP's TCP port 3389. I've tried multiple times. The error is:

"Failed to update security rule 'AllowRDP'. Error: There was an error processing your request. Try again in a few moments." I have tried for a couple days at different times of day. I even started over creating a new server VM first.

When I try to create the rule using Azure CLI instead of the portal, it can't find the resource group. But the group definitely exists in the portal. I checked to make sure the right subscription ID was being used.

Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-13T07:21:08.16+00:00
Hi IT 110,

Welcome to Microsoft Q&A and Thanks for sharing the details of the issue. Based on the error you're encountering when trying to create the inbound NSG rule for RDP, here are some common causes and suggestions to help troubleshoot and fix the problem:

1.Check NSG Configuration:

Ensure that the source, destination, and port settings match what's needed for RDP (TCP port 3389). You could set the source to Any, or if you have specific IP addresses, you can list those.

2.Verify Subscription and Resource Group:

Double-check that you are working in the correct Azure subscription and the relevant resource group in the Azure portal before creating the rule. You mentioned having issues with Azure CLI detecting the resource group, so make sure that your CLI is configured to the right subscription using the command:

az account set --subscription "Your Subscription Name"

3.Diagnostic Insights:

Use Azure Network Watcher to check the connectivity and ensure that there are no other rules blocking your traffic.

4.Network Security Group Limits:

Remember, NSGs have limits on the number of rules you can create. Ensure you haven't hit these limits. You can check Azure limits for specifics.

5.Use Azure Bastion:

If the issue continues, consider using Azure Bastion for RDP access. It connects directly to your VMs over TLS without needing to expose them through inbound rules.

6.Recreate the NSG:

As a last resort, if the NSG seems corrupted, you can delete it and create a new one but be careful as this can disrupt traffic.

Additional Resources to refer for more info:

Configuring and Troubleshooting NSG Rules

Diagnose Network Security Rules

Network Security Groups Overview

If the problem persists after trying these steps, here are some follow-up questions to help narrow down the issue:

What specific Azure region is your NSG and VM located in?

Are there any existing rules in the NSG that could potentially conflict with the RDP rule?

Can you confirm that the NSG is indeed associated with the correct VM?

Are you receiving any specific error codes when trying to perform these actions through the Azure CLI?

What exact steps are you following to create the NSG rule, either via the portal or CLI?

Looking forward to your reply and happy to assist further!

Thanks,

Harish.
IT 110 0 Reputation points

2025-10-13T17:10:01.4133333+00:00
Note that I have created Entra DS using the normal default process. I then added Server2019 as a VM using normal, default settings. But I cannot remote into the Server2019 VM, since TCP port 3389 for RDP is blocked by the NSG.

I've tried steps 1-4. I'm using Azure for Free right now. It does not let me use Bastion or to delete the existing network security group. Here are answers to the follow-up questions:

Both are in the East US region.

Just the default rules - no conflicts.

Subnet is properly associated.

Error: Operation returned an invalid status 'Bad request" but everything looks right.

Using Azure portal. Going to resource group and then select the aadds-nsg. Under Settings, select Inbound security rules. Click +Add. Choose Any for Source, Source port ranges *, Destination any, Service RDP, Action Allow, Priority 311, name Allow RDP, click Add.
Resulting error: Failed to create security rule Failed to create security rule 'AllowRDP'. Error: There was an error processing your request. Try again in a few moments.
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-14T09:37:32.6333333+00:00

Hi IT 110,

Thanks for the detailed update, that really helps clarify the situation.

From what you've described, you're using Azure Entra Domain Services (Entra DS) and encountering errors when trying to create an inbound RDP rule on the aadds-nsg.

The aadds-nsg is automatically created and managed by Azure when Entra DS is deployed. This NSG is locked down and cannot be modified manually, not even for adding inbound RDP rules. That’s the reason you’re seeing the vague “Bad request” error both in the portal and CLI.

This is expected behavior by design, to ensure the security of the managed domain.

To allow RDP access to your Server 2019 VM, you’ll need to:

Create a new Virtual Network (VNet) manually — outside of the Entra DS deployment.

Create a custom NSG with your own rules (including RDP inbound).

Deploy a new Server2019 VM into this new VNet.

Add the NSG to the VM's subnet or network interface (NIC).

If needed, peer this VNet with the Entra DS VNet so the new VM can still communicate with the domain controllers.

This approach gives you full control over NSG rules while still allowing domain join functionality if needed.

Since you're on the Free tier, you might have limitations around advanced features like Azure Bastion, but creating a new VNet + NSG is fully supported and should resolve the issue.

Please do let me know if you have any questions on this.

Thanks,

Harish
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-16T01:58:59.49+00:00

Hi IT 110,

Good day, i hope you are doing great!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.

1 answer

Your answer

IT 110 0 Reputation points

2025-10-13T17:10:01.4133333+00:00

Note that I have created Entra DS using the normal default process. I then added Server2019 as a VM using normal, default settings. But I cannot remote into the Server2019 VM, since TCP port 3389 for RDP is blocked by the NSG.

I've tried steps 1-4. I'm using Azure for Free right now. It does not let me use Bastion or to delete the existing network security group. Here are answers to the follow-up questions:

Both are in the East US region.

Just the default rules - no conflicts.

Subnet is properly associated.

Error: Operation returned an invalid status 'Bad request" but everything looks right.

Using Azure portal. Going to resource group and then select the aadds-nsg. Under Settings, select Inbound security rules. Click +Add. Choose Any for Source, Source port ranges *, Destination any, Service RDP, Action Allow, Priority 311, name Allow RDP, click Add.
Resulting error: Failed to create security rule Failed to create security rule 'AllowRDP'. Error: There was an error processing your request. Try again in a few moments.
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-14T09:37:32.6333333+00:00

Hi IT 110,

Thanks for the detailed update, that really helps clarify the situation.

From what you've described, you're using Azure Entra Domain Services (Entra DS) and encountering errors when trying to create an inbound RDP rule on the aadds-nsg.

The aadds-nsg is automatically created and managed by Azure when Entra DS is deployed. This NSG is locked down and cannot be modified manually, not even for adding inbound RDP rules. That’s the reason you’re seeing the vague “Bad request” error both in the portal and CLI.

This is expected behavior by design, to ensure the security of the managed domain.

To allow RDP access to your Server 2019 VM, you’ll need to:

Create a new Virtual Network (VNet) manually — outside of the Entra DS deployment.

Create a custom NSG with your own rules (including RDP inbound).

Deploy a new Server2019 VM into this new VNet.

Add the NSG to the VM's subnet or network interface (NIC).

If needed, peer this VNet with the Entra DS VNet so the new VM can still communicate with the domain controllers.

This approach gives you full control over NSG rules while still allowing domain join functionality if needed.

Since you're on the Free tier, you might have limitations around advanced features like Azure Bastion, but creating a new VNet + NSG is fully supported and should resolve the issue.

Please do let me know if you have any questions on this.

Thanks,

Harish
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-16T01:58:59.49+00:00

Hi IT 110,

Good day, i hope you are doing great!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.

Answer 1

Hi IT 110,

Good day, i hope you are doing great!
Welcome to Microsoft Q&A and Thanks for engaging in this discussion and providing detailed follow-up. Let’s summarize this thread with the key findings, root cause, and the steps to resolve your issue regarding creating an inbound RDP rule in your Network Security Group (NSG).

Summary of the Issue:

As You mentioned that you:

Created Azure Entra Domain Services (Entra DS) using default settings.

Deployed a Windows Server 2019 VM in the same environment.

Tried adding an inbound RDP rule (TCP port 3389) to allow remote desktop access.

Encountered the following error, both via Portal and CLI:

“Failed to create security rule 'AllowRDP'. Error: There was an error processing your request. Try again in a few moments.” Azure CLI: “Operation returned an invalid status 'Bad Request'.”

You also confirmed:

Both VM and NSG are in East US region.

Only default rules exist; no apparent conflicts.

Subnet is properly associated.

You are currently using the Azure Free tier, which limits Bastion usage and certain actions like deleting managed NSGs.

Root Cause:

The aadds-nsg (Network Security Group created with Azure Entra Domain Services) is automatically managed and locked by Azure. This NSG is provided as part of the managed domain deployment to secure domain resources, and it cannot be modified manually—including adding custom inbound rules like RDP.

This design prevents accidental exposure of the domain controllers or weakening of domain-level security. Hence, the “Bad request” error occurs when you attempt to modify it through the portal or CLI.

For reference:

Network security for Azure Entra Domain Services

Network Security Groups overview

Recommended Solution:

To enable RDP access to your custom Server 2019 VM, you’ll need to deploy it outside the managed Entra DS VNet:

Create a new Virtual Network (VNet) separately from the Entra DS VNet.

Create a new NSG within that VNet and configure your inbound RDP rule (TCP 3389) as needed.

Deploy the new VM within this custom VNet and associate the NSG with either the subnet or VM NIC.

If you still need the VM to communicate with Entra DS for authentication or joining the domain, peer the two VNets (your custom VNet ↔ Entra DS-managed VNet).

This ensures secure, domain-aware communication while retaining full control of NSG rules.

If you prefer not to expose RDP on port 3389, another option (once your subscription allows) is to use Azure Bastion for TLS-based VM access.

Additional References:

Manage network security groups

Diagnose network traffic filtering problems

Azure subscription service limits including NSG rules

This behavior is by design, and creating your own VNet/NSG combination is the correct and supported approach. Feel free to reply if you have any further questions or need guidance on VNets and peering setup.

If the information resolved your issue, kindly consider accepting the answer — it will help others who might be facing similar challenges.

Thanks,

Harish

Share via

Cannot create Inbound Security Rule in NSG

1 answer

Your answer