Microsoft.Network networkSecurityGroups

Bicep resource definition

The networkSecurityGroups resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on creating network security groups, see Create virtual network resources by using Bicep.

Resource format

To create a Microsoft.Network/networkSecurityGroups resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    flushConnection: bool
    securityRules: [
      {
        id: 'string'
        name: 'string'
        properties: {
          access: 'string'
          description: 'string'
          destinationAddressPrefix: 'string'
          destinationAddressPrefixes: [
            'string'
          ]
          destinationApplicationSecurityGroups: [
            {
              id: 'string'
              location: 'string'
              properties: {}
              tags: {}
            }
          ]
          destinationPortRange: 'string'
          destinationPortRanges: [
            'string'
          ]
          direction: 'string'
          priority: int
          protocol: 'string'
          sourceAddressPrefix: 'string'
          sourceAddressPrefixes: [
            'string'
          ]
          sourceApplicationSecurityGroups: [
            {
              id: 'string'
              location: 'string'
              properties: {}
              tags: {}
            }
          ]
          sourcePortRange: 'string'
          sourcePortRanges: [
            'string'
          ]
        }
        type: 'string'
      }
    ]
  }
}

Property values

networkSecurityGroups

Name Description Value
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. 'Allow'
'Deny' (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound' (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int (required)
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp' (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Managed Azure Active Directory Domain Services

Deploy to Azure
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
App Gateway with WAF, SSL, IIS and HTTPS redirection

Deploy to Azure
This template deploys an Application Gateway with WAF, end to end SSL and HTTP to HTTPS redirect on the IIS servers.
Create an IPv6 Application Gateway

Deploy to Azure
This template creates an application gateway with an IPv6 frontend in a dual-stack virtual network.
Application Security Groups

Deploy to Azure
This template shows how to put together the pieces to secure workloads using NSGs with Application Security Groups. It will deploy a Linux VM running NGINX and through the usage of Applicaton Security Groups on Network Security Groups we will allow access to ports 22 and 80 to a VM assigned to Application Security Group called webServersAsg.
Azure Bastion as a Service with NSG

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create sandbox of Azure Firewall, client VM, and server VM

Deploy to Azure
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a load-balancer with a Public IPv6 address

Deploy to Azure
This template creates an Internet-facing load-balancer with a Public IPv6 address, load balancing rules, and two VMs for the backend pool.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Virtual Network NAT with VM

Deploy to Azure
Deploy a NAT gateway and virtual machine
Apply a NSG to an existing subnet

Deploy to Azure
This template applies a newly created NSG to an existing subnet
Network Security Group with diagnostic logs

Deploy to Azure
This template creates a Network Security Group with diagnostic logs and a resource lock
Multi tier VNet with NSGs and DMZ

Deploy to Azure
This template deploys a Virtual Network with 3 subnets, 3 Network Security Groups and appropriate security rules to make the FrontEnd subnet a DMZ
Azure Route Server in BGP peering with Quagga

Deploy to Azure
This template deploys a Router Server and Ubuntu VM with Quagga. Two external BGP sessions are established between the Router Server and Quagga. Installation and configuration of Quagga is executed by Azure custom script extension for linux
Create a Network Security Group

Deploy to Azure
This template creates a Network Security Group
Create a Site-to-Site VPN Connection with VM

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Site-to-Site VPN with active-active VPN Gateways with BGP

Deploy to Azure
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones.
Azure Traffic Manager VM example

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines.
Azure Traffic Manager VM example with Availability Zones

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines placed in Availability Zones.
User defined routes and Appliance

Deploy to Azure
This template deploys a Virtual Network, VMs in respective subnets and routes to direct traffic to the appliance
201-vnet-2subnets-service-endpoints-storage-integration

Deploy to Azure
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet.
Add an NSG with Redis security rules to an existing subnet

Deploy to Azure
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET.

ARM template resource definition

The networkSecurityGroups resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on creating network security groups, see Create virtual network resources by using Bicep.

Resource format

To create a Microsoft.Network/networkSecurityGroups resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/networkSecurityGroups",
  "apiVersion": "2023-11-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "flushConnection": "bool",
    "securityRules": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "access": "string",
          "description": "string",
          "destinationAddressPrefix": "string",
          "destinationAddressPrefixes": [ "string" ],
          "destinationApplicationSecurityGroups": [
            {
              "id": "string",
              "location": "string",
              "properties": {},
              "tags": {}
            }
          ],
          "destinationPortRange": "string",
          "destinationPortRanges": [ "string" ],
          "direction": "string",
          "priority": "int",
          "protocol": "string",
          "sourceAddressPrefix": "string",
          "sourceAddressPrefixes": [ "string" ],
          "sourceApplicationSecurityGroups": [
            {
              "id": "string",
              "location": "string",
              "properties": {},
              "tags": {}
            }
          ],
          "sourcePortRange": "string",
          "sourcePortRanges": [ "string" ]
        },
        "type": "string"
      }
    ]
  }
}

Property values

networkSecurityGroups

Name Description Value
type The resource type 'Microsoft.Network/networkSecurityGroups'
apiVersion The resource api version '2023-11-01'
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. 'Allow'
'Deny' (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. 'Inbound'
'Outbound' (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int (required)
protocol Network protocol this rule applies to. '*'
'Ah'
'Esp'
'Icmp'
'Tcp'
'Udp' (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Managed Azure Active Directory Domain Services

Deploy to Azure
This template deploys an Managed Azure Active Directory Domain Service with required VNet and NSG configurations.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
App Gateway with WAF, SSL, IIS and HTTPS redirection

Deploy to Azure
This template deploys an Application Gateway with WAF, end to end SSL and HTTP to HTTPS redirect on the IIS servers.
Create an IPv6 Application Gateway

Deploy to Azure
This template creates an application gateway with an IPv6 frontend in a dual-stack virtual network.
Application Security Groups

Deploy to Azure
This template shows how to put together the pieces to secure workloads using NSGs with Application Security Groups. It will deploy a Linux VM running NGINX and through the usage of Applicaton Security Groups on Network Security Groups we will allow access to ports 22 and 80 to a VM assigned to Application Security Group called webServersAsg.
Azure Bastion as a Service with NSG

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Create sandbox of Azure Firewall, client VM, and server VM

Deploy to Azure
This template creates a virtual network with 2 subnets (server subnet and AzureFirewall subnet), A server VM, a client VM, a public IP address for each VM, and a route table to send traffic between VMs through the firewall.
Create a Firewall, FirewallPolicy with Explicit Proxy

Deploy to Azure
This template creates an Azure Firewall, FirewalllPolicy with Explicit Proxy and Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create a Firewall with FirewallPolicy and IpGroups

Deploy to Azure
This template creates an Azure Firewall with FirewalllPolicy referencing Network Rules with IpGroups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall with IpGroups

Deploy to Azure
This template creates an Azure Firewall with Application and Network Rules referring to IP Groups. Also, includes a Linux Jumpbox vm setup
Create an Azure Firewall sandbox with forced tunneling

Deploy to Azure
This template creates an Azure Firewall sandbox (Linux) with one firewall force tunneled through another firewall in a peered VNET
Create a sandbox setup of Azure Firewall with Linux VMs

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses, 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup with Firewall Policy

Deploy to Azure
This template creates a virtual network with 3 subnets (server subnet, jumpbox subet and AzureFirewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the Server Subnet and an Azure Firewall with 1 or more Public IP addresses. Also creates a Firewall policy with 1 sample application rule, 1 sample network rule and default private ranges
Create a sandbox setup of Azure Firewall with Zones

Deploy to Azure
This template creates a virtual network with three subnets (server subnet, jumpbox subnet, and Azure Firewall subnet), a jumpbox VM with public IP, A server VM, UDR route to point to Azure Firewall for the ServerSubnet,an Azure Firewall with one or more Public IP addresses, one sample application rule, and one sample network rule and Azure Firewall in Availability Zones 1, 2, and 3.
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Create an Azure Firewall with multiple IP public addresses

Deploy to Azure
This template creates an Azure Firewall with two public IP addresses and two Windows Server 2019 servers to test.
Secured virtual hubs

Deploy to Azure
This template creates a secured virtual hub using Azure Firewall to secure your cloud network traffic destined to the Internet.
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a load-balancer with a Public IPv6 address

Deploy to Azure
This template creates an Internet-facing load-balancer with a Public IPv6 address, load balancing rules, and two VMs for the backend pool.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Virtual Network NAT with VM

Deploy to Azure
Deploy a NAT gateway and virtual machine
Apply a NSG to an existing subnet

Deploy to Azure
This template applies a newly created NSG to an existing subnet
Network Security Group with diagnostic logs

Deploy to Azure
This template creates a Network Security Group with diagnostic logs and a resource lock
Multi tier VNet with NSGs and DMZ

Deploy to Azure
This template deploys a Virtual Network with 3 subnets, 3 Network Security Groups and appropriate security rules to make the FrontEnd subnet a DMZ
Azure Route Server in BGP peering with Quagga

Deploy to Azure
This template deploys a Router Server and Ubuntu VM with Quagga. Two external BGP sessions are established between the Router Server and Quagga. Installation and configuration of Quagga is executed by Azure custom script extension for linux
Create a Network Security Group

Deploy to Azure
This template creates a Network Security Group
Create a Site-to-Site VPN Connection with VM

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Site-to-Site VPN with active-active VPN Gateways with BGP

Deploy to Azure
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones.
Azure Traffic Manager VM example

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines.
Azure Traffic Manager VM example with Availability Zones

Deploy to Azure
This template shows how to create an Azure Traffic Manager profile load-balancing across multiple virtual machines placed in Availability Zones.
User defined routes and Appliance

Deploy to Azure
This template deploys a Virtual Network, VMs in respective subnets and routes to direct traffic to the appliance
201-vnet-2subnets-service-endpoints-storage-integration

Deploy to Azure
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet.
Add an NSG with Redis security rules to an existing subnet

Deploy to Azure
This template allows you to add an NSG with preconfigured Azure Redis Cache security rules to an existing subnet within a VNET. Deploy into the resource group of the existing VNET.

Terraform (AzAPI provider) resource definition

The networkSecurityGroups resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkSecurityGroups resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/networkSecurityGroups@2023-11-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      flushConnection = bool
      securityRules = [
        {
          id = "string"
          name = "string"
          properties = {
            access = "string"
            description = "string"
            destinationAddressPrefix = "string"
            destinationAddressPrefixes = [
              "string"
            ]
            destinationApplicationSecurityGroups = [
              {
                id = "string"
                location = "string"
                properties = {}
                tags = {}
              }
            ]
            destinationPortRange = "string"
            destinationPortRanges = [
              "string"
            ]
            direction = "string"
            priority = int
            protocol = "string"
            sourceAddressPrefix = "string"
            sourceAddressPrefixes = [
              "string"
            ]
            sourceApplicationSecurityGroups = [
              {
                id = "string"
                location = "string"
                properties = {}
                tags = {}
              }
            ]
            sourcePortRange = "string"
            sourcePortRanges = [
              "string"
            ]
          }
          type = "string"
        }
      ]
    }
  })
}

Property values

networkSecurityGroups

Name Description Value
type The resource type "Microsoft.Network/networkSecurityGroups@2023-11-01"
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags. Dictionary of tag names and values.
properties Properties of the network security group. NetworkSecurityGroupPropertiesFormat

NetworkSecurityGroupPropertiesFormat

Name Description Value
flushConnection When enabled, flows created from Network Security Group connections will be re-evaluated when rules are updates. Initial enablement will trigger re-evaluation. bool
securityRules A collection of security rules of the network security group. SecurityRule[]

SecurityRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the security rule. SecurityRulePropertiesFormat
type The type of the resource. string

SecurityRulePropertiesFormat

Name Description Value
access The network traffic is allowed or denied. "Allow"
"Deny" (required)
description A description for this rule. Restricted to 140 chars. string
destinationAddressPrefix The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. string
destinationAddressPrefixes The destination address prefixes. CIDR or destination IP ranges. string[]
destinationApplicationSecurityGroups The application security group specified as destination. ApplicationSecurityGroup[]
destinationPortRange The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
destinationPortRanges The destination port ranges. string[]
direction The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. "Inbound"
"Outbound" (required)
priority The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. int (required)
protocol Network protocol this rule applies to. "*"
"Ah"
"Esp"
"Icmp"
"Tcp"
"Udp" (required)
sourceAddressPrefix The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. string
sourceAddressPrefixes The CIDR or source IP ranges. string[]
sourceApplicationSecurityGroups The application security group specified as source. ApplicationSecurityGroup[]
sourcePortRange The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. string
sourcePortRanges The source port ranges. string[]

ApplicationSecurityGroup

Name Description Value
id Resource ID. string
location Resource location. string
properties Properties of the application security group. ApplicationSecurityGroupPropertiesFormat
tags Resource tags. object

ApplicationSecurityGroupPropertiesFormat

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.