Introduction to NSG Diagnostics in Azure Network Watcher

The Network Security Group (NSG) Diagnostics is an Azure Network Watcher tool that helps you understand which network traffic is allowed or denied in your Azure Virtual Network along with detailed information for debugging. It can help you in understanding if your NSG rules are configured correctly.


To use NSG Diagnostics, Network Watcher must be enabled in your subscription. See Create an Azure Network Watcher instance to enable.


  • Your resources in Azure are connected via virtual networks (VNets) and subnets. The security of these VNets and subnets can be managed using network security groups (NSGs).
  • An NSG contains a list of security rules that allow or deny network traffic to resources it's connected to. An NSG can be associated to a virtual network subnet or individual network interface (NIC) attached to a virtual machine (VM).
  • All traffic flows in your network are evaluated using the rules in the applicable NSG.
  • Rules are evaluated based on priority number from lowest to highest.

How does NSG Diagnostics work?

For a given flow, after you provide details like source and destination, the NSG Diagnostics tool runs a simulation of the flow and returns whether the flow would be allowed or denied with detailed information about the security rule allowing or denying the flow.

Next steps

Use NSG Diagnostics using REST API, PowerShell, and Azure CLI.