Microsoft.Network networkSecurityGroups
Bicep resource definition
The networkSecurityGroups resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating network security groups, see Create virtual network resources by using Bicep.
Resource format
To create a Microsoft.Network/networkSecurityGroups resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
properties: {
flushConnection: bool
securityRules: [
{
id: 'string'
name: 'string'
properties: {
access: 'string'
description: 'string'
destinationAddressPrefix: 'string'
destinationAddressPrefixes: [
'string'
]
destinationApplicationSecurityGroups: [
{
id: 'string'
location: 'string'
properties: {}
tags: {}
}
]
destinationPortRange: 'string'
destinationPortRanges: [
'string'
]
direction: 'string'
priority: int
protocol: 'string'
sourceAddressPrefix: 'string'
sourceAddressPrefixes: [
'string'
]
sourceApplicationSecurityGroups: [
{
id: 'string'
location: 'string'
properties: {}
tags: {}
}
]
sourcePortRange: 'string'
sourcePortRanges: [
'string'
]
}
type: 'string'
}
]
}
}
Property values
networkSecurityGroups
Name | Description | Value |
---|---|---|
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
properties | Properties of the network security group. | NetworkSecurityGroupPropertiesFormat |
NetworkSecurityGroupPropertiesFormat
Name | Description | Value |
---|---|---|
flushConnection | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. | bool |
securityRules | A collection of security rules of the network security group. | SecurityRule[] |
SecurityRule
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the security rule. | SecurityRulePropertiesFormat |
type | The type of the resource. | string |
SecurityRulePropertiesFormat
Name | Description | Value |
---|---|---|
access | The network traffic is allowed or denied. | 'Allow' 'Deny' (required) |
description | A description for this rule. Restricted to 140 chars. | string |
destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string |
destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] |
destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] |
destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
destinationPortRanges | The destination port ranges. | string[] |
direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' (required) |
priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int (required) |
protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' (required) |
sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string |
sourceAddressPrefixes | The CIDR or source IP ranges. | string[] |
sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] |
sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
sourcePortRanges | The source port ranges. | string[] |
ApplicationSecurityGroup
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
location | Resource location. | string |
properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat |
tags | Resource tags. | object |
ApplicationSecurityGroupPropertiesFormat
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Managed Azure Active Directory Domain Services |
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
App Gateway with WAF, SSL, IIS and HTTPS redirection |
This template deploys an Application Gateway with WAF, end to end SSL and HTTP to HTTPS redirect on the IIS servers. |
Create an IPv6 Application Gateway |
This template creates an application gateway with an IPv6 frontend in a dual-stack virtual network. |
Application Security Groups |
This template shows how to put together the pieces to secure workloads using NSGs with Application Security Groups. It will deploy a Linux VM running NGINX and through the usage of Applicaton Security Groups on Network Security Groups we will allow access to ports 22 and 80 to a VM assigned to Application Security Group called webServersAsg. |
Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Create sandbox of Azure Firewall, client VM, and server VM |
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall. |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall with IpGroups |
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall sandbox with forced tunneling |
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET |
Create a sandbox setup of Azure Firewall with Linux VMs |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup of Azure Firewall with Zones |
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. |
ExpressRoute circuit with private peering and Azure VNet |
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit |
Create Azure Front Door in front of Azure API Management |
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management. |
Create an Azure Firewall with multiple IP public addresses |
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test. |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Standard Load Balancer with Backend Pool by IP Addresses |
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Create a load-balancer with a Public IPv6 address |
This template creates an Internet-facing load-balancer with a Public IPv6 address, load balancing rules, and two VMs for the backend pool. |
Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Virtual Network NAT with VM |
Deploy a NAT gateway and virtual machine |
Apply a NSG to an existing subnet |
This template applies a newly created NSG to an existing subnet |
Network Security Group with diagnostic logs |
This template creates a Network Security Group with diagnostic logs and a resource lock |
Multi tier VNet with NSGs and DMZ |
This template deploys a Virtual Network with 3 subnets, 3 Network Security Groups and appropriate security rules to make the FrontEnd subnet a DMZ |
Azure Route Server in BGP peering with Quagga |
This template deploys a Router Server and Ubuntu VM with Quagga. Two external BGP sessions are established between the Router Server and Quagga. Installation and configuration of Quagga is executed by Azure custom script extension for linux |
Create a Network Security Group |
This template creates a Network Security Group |
Create a Site-to-Site VPN Connection with VM |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
Site-to-Site VPN with active-active VPN Gateways with BGP |
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. |
Azure Traffic Manager VM example |
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines. |
Azure Traffic Manager VM example with Availability Zones |
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines placed in Availability Zones. |
User defined routes and Appliance |
This template deploys a Virtual Network, VMs in respective subnets and routes to direct traffic to the appliance |
201-vnet-2subnets-service-endpoints-storage-integration |
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet. |
Add an NSG with Redis security rules to an existing subnet |
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET. |
ARM template resource definition
The networkSecurityGroups resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating network security groups, see Create virtual network resources by using Bicep.
Resource format
To create a Microsoft.Network/networkSecurityGroups resource, add the following JSON to your template.
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-11-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"flushConnection": "bool",
"securityRules": [
{
"id": "string",
"name": "string",
"properties": {
"access": "string",
"description": "string",
"destinationAddressPrefix": "string",
"destinationAddressPrefixes": [ "string" ],
"destinationApplicationSecurityGroups": [
{
"id": "string",
"location": "string",
"properties": {},
"tags": {}
}
],
"destinationPortRange": "string",
"destinationPortRanges": [ "string" ],
"direction": "string",
"priority": "int",
"protocol": "string",
"sourceAddressPrefix": "string",
"sourceAddressPrefixes": [ "string" ],
"sourceApplicationSecurityGroups": [
{
"id": "string",
"location": "string",
"properties": {},
"tags": {}
}
],
"sourcePortRange": "string",
"sourcePortRanges": [ "string" ]
},
"type": "string"
}
]
}
}
Property values
networkSecurityGroups
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.Network/networkSecurityGroups' |
apiVersion | The resource api version | '2023-11-01' |
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
properties | Properties of the network security group. | NetworkSecurityGroupPropertiesFormat |
NetworkSecurityGroupPropertiesFormat
Name | Description | Value |
---|---|---|
flushConnection | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. | bool |
securityRules | A collection of security rules of the network security group. | SecurityRule[] |
SecurityRule
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the security rule. | SecurityRulePropertiesFormat |
type | The type of the resource. | string |
SecurityRulePropertiesFormat
Name | Description | Value |
---|---|---|
access | The network traffic is allowed or denied. | 'Allow' 'Deny' (required) |
description | A description for this rule. Restricted to 140 chars. | string |
destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string |
destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] |
destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] |
destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
destinationPortRanges | The destination port ranges. | string[] |
direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' (required) |
priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int (required) |
protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' (required) |
sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string |
sourceAddressPrefixes | The CIDR or source IP ranges. | string[] |
sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] |
sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
sourcePortRanges | The source port ranges. | string[] |
ApplicationSecurityGroup
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
location | Resource location. | string |
properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat |
tags | Resource tags. | object |
ApplicationSecurityGroupPropertiesFormat
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Managed Azure Active Directory Domain Services |
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
App Gateway with WAF, SSL, IIS and HTTPS redirection |
This template deploys an Application Gateway with WAF, end to end SSL and HTTP to HTTPS redirect on the IIS servers. |
Create an IPv6 Application Gateway |
This template creates an application gateway with an IPv6 frontend in a dual-stack virtual network. |
Application Security Groups |
This template shows how to put together the pieces to secure workloads using NSGs with Application Security Groups. It will deploy a Linux VM running NGINX and through the usage of Applicaton Security Groups on Network Security Groups we will allow access to ports 22 and 80 to a VM assigned to Application Security Group called webServersAsg. |
Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Create sandbox of Azure Firewall, client VM, and server VM |
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall. |
Create a Firewall, FirewallPolicy with Explicit Proxy |
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create a Firewall with FirewallPolicy and IpGroups |
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall with IpGroups |
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup |
Create an Azure Firewall sandbox with forced tunneling |
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET |
Create a sandbox setup of Azure Firewall with Linux VMs |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup with Firewall Policy |
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges |
Create a sandbox setup of Azure Firewall with Zones |
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3. |
ExpressRoute circuit with private peering and Azure VNet |
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit |
Create Azure Front Door in front of Azure API Management |
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management. |
Create an Azure Firewall with multiple IP public addresses |
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test. |
Secured virtual hubs |
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet. |
Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Standard Load Balancer with Backend Pool by IP Addresses |
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Create a load-balancer with a Public IPv6 address |
This template creates an Internet-facing load-balancer with a Public IPv6 address, load balancing rules, and two VMs for the backend pool. |
Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Virtual Network NAT with VM |
Deploy a NAT gateway and virtual machine |
Apply a NSG to an existing subnet |
This template applies a newly created NSG to an existing subnet |
Network Security Group with diagnostic logs |
This template creates a Network Security Group with diagnostic logs and a resource lock |
Multi tier VNet with NSGs and DMZ |
This template deploys a Virtual Network with 3 subnets, 3 Network Security Groups and appropriate security rules to make the FrontEnd subnet a DMZ |
Azure Route Server in BGP peering with Quagga |
This template deploys a Router Server and Ubuntu VM with Quagga. Two external BGP sessions are established between the Router Server and Quagga. Installation and configuration of Quagga is executed by Azure custom script extension for linux |
Create a Network Security Group |
This template creates a Network Security Group |
Create a Site-to-Site VPN Connection with VM |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
Site-to-Site VPN with active-active VPN Gateways with BGP |
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. |
Azure Traffic Manager VM example |
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines. |
Azure Traffic Manager VM example with Availability Zones |
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines placed in Availability Zones. |
User defined routes and Appliance |
This template deploys a Virtual Network, VMs in respective subnets and routes to direct traffic to the appliance |
201-vnet-2subnets-service-endpoints-storage-integration |
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet. |
Add an NSG with Redis security rules to an existing subnet |
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET. |
Terraform (AzAPI provider) resource definition
The networkSecurityGroups resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/networkSecurityGroups resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/networkSecurityGroups@2023-11-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
flushConnection = bool
securityRules = [
{
id = "string"
name = "string"
properties = {
access = "string"
description = "string"
destinationAddressPrefix = "string"
destinationAddressPrefixes = [
"string"
]
destinationApplicationSecurityGroups = [
{
id = "string"
location = "string"
properties = {}
tags = {}
}
]
destinationPortRange = "string"
destinationPortRanges = [
"string"
]
direction = "string"
priority = int
protocol = "string"
sourceAddressPrefix = "string"
sourceAddressPrefixes = [
"string"
]
sourceApplicationSecurityGroups = [
{
id = "string"
location = "string"
properties = {}
tags = {}
}
]
sourcePortRange = "string"
sourcePortRanges = [
"string"
]
}
type = "string"
}
]
}
})
}
Property values
networkSecurityGroups
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.Network/networkSecurityGroups@2023-11-01" |
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
tags | Resource tags. | Dictionary of tag names and values. |
properties | Properties of the network security group. | NetworkSecurityGroupPropertiesFormat |
NetworkSecurityGroupPropertiesFormat
Name | Description | Value |
---|---|---|
flushConnection | When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. | bool |
securityRules | A collection of security rules of the network security group. | SecurityRule[] |
SecurityRule
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Properties of the security rule. | SecurityRulePropertiesFormat |
type | The type of the resource. | string |
SecurityRulePropertiesFormat
Name | Description | Value |
---|---|---|
access | The network traffic is allowed or denied. | "Allow" "Deny" (required) |
description | A description for this rule. Restricted to 140 chars. | string |
destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string |
destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] |
destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] |
destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
destinationPortRanges | The destination port ranges. | string[] |
direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | "Inbound" "Outbound" (required) |
priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int (required) |
protocol | Network protocol this rule applies to. | "*" "Ah" "Esp" "Icmp" "Tcp" "Udp" (required) |
sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string |
sourceAddressPrefixes | The CIDR or source IP ranges. | string[] |
sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] |
sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
sourcePortRanges | The source port ranges. | string[] |
ApplicationSecurityGroup
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
location | Resource location. | string |
properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat |
tags | Resource tags. | object |
ApplicationSecurityGroupPropertiesFormat
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.