How to open ports to a virtual machine with the Azure portal

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets

You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or a VM network interface. You place these filters, which control both inbound and outbound traffic, on a network security group attached to the resource that receives the traffic.

The example in this article demonstrates how to create a network filter that uses the standard TCP port 80 (it's assumed you've already started the appropriate services and opened any OS firewall rules on the VM).

After you've created a VM that's configured to serve web requests on the standard TCP port 80, you can:

  1. Create a network security group.

  2. Create an inbound security rule allowing traffic and assign values to the following settings:

    • Destination port ranges: 80

    • Source port ranges: * (allows any source port)

    • Priority value: Enter a value that is less than 65,500 and higher in priority than the default catch-all deny inbound rule.

  3. Associate the network security group with the VM network interface or subnet.

Although this example uses a simple rule to allow HTTP traffic, you can also use network security groups and rules to create more complex network configurations.

Sign in to Azure

Sign in to the Azure portal at

Create a network security group

  1. Search for and select the resource group for the VM, choose Add, then search for and select Network security group.

  2. Select Create.

    The Create network security group window opens.

    Create a network security group.

  3. Enter a name for your network security group.

  4. Select or create a resource group, then select a location.

  5. Select Create to create the network security group.

Create an inbound security rule

  1. Select your new network security group.

  2. Select Inbound security rules from the left menu, then select Add.

    Add an inbound security rule.

  3. You can limit the Source and Source port ranges as needed or leave the default of Any.

  4. You can limit the Destination as needed or leave the default of Any.

  5. Choose a common Service from the drop-down menu, such as HTTP. You can also select Custom if you want to provide a specific port to use.

  6. Optionally, change the Priority or Name. The priority affects the order in which rules are applied: the lower the numerical value, the earlier the rule is applied.

  7. Select Add to create the rule.

Associate your network security group with a subnet

Your final step is to associate your network security group with a subnet or a specific network interface. For this example, we'll associate the network security group with a subnet.

  1. Select Subnets from the left menu, then select Associate.

  2. Select your virtual network, and then select the appropriate subnet.

    Associating a network security group with virtual networking

  3. When you are done, select OK.

Additional information

You can also perform the steps in this article by using Azure PowerShell.

The commands described in this article allow you to quickly get traffic flowing to your VM. Network security groups provide many great features and granularity for controlling access to your resources. For more information, see Filter network traffic with a network security group.

For highly available web applications, consider placing your VMs behind an Azure load balancer. The load balancer distributes traffic to VMs, with a network security group that provides traffic filtering. For more information, see Load balance Windows virtual machines in Azure to create a highly available application.

Next steps

In this article, you created a network security group, created an inbound rule that allows HTTP traffic on port 80, and then associated that rule with a subnet.

You can find information on creating more detailed environments in the following articles: