az network nsg rule

Manage network security group rules.

Commands

Name	Description	Type	Status
az network nsg rule create	Create a network security group rule.	Core	GA
az network nsg rule delete	Delete a network security group rule.	Core	GA
az network nsg rule list	List all rules in a network security group.	Core	GA
az network nsg rule show	Get the details of a network security group rule.	Core	GA
az network nsg rule update	Update a network security group rule.	Core	GA
az network nsg rule wait	Place the CLI in a waiting state until a condition is met.	Core	GA

az network nsg rule create

Create a network security group rule.

Azure CLI

az network nsg rule create --name
                           --nsg-name
                           --priority
                           --resource-group
                           [--access {Allow, Deny}]
                           [--description]
                           [--destination-address-prefix]
                           [--destination-port-range]
                           [--direction {Inbound, Outbound}]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--protocol {*, Tcp, Udp}]
                           [--source-address-prefix]
                           [--source-port-range]

Examples

Create a basic "Allow" NSG rule with the highest priority.

Azure CLI

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 100

Create a "Deny" rule over TCP for a specific IP address range with the lowest priority.

Azure CLI

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 --source-address-prefixes 208.130.28.0/24 --source-port-ranges 80 --destination-address-prefixes '*' --destination-port-ranges 80 8080 --access Deny --protocol Tcp --description "Deny from specific IP address ranges on 80 and 8080."

Create a security rule using service tags (https://aka.ms/servicetags).

Azure CLI

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithTags --priority 400 --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage --destination-port-ranges '*' --direction Outbound --access Allow --protocol Tcp --description "Allow VirtualNetwork to Storage."

Create a security rule using application security groups (https://aka.ms/applicationsecuritygroups).

Azure CLI

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithAsg --priority 500 --source-address-prefixes Internet --destination-port-ranges 80 8080 --destination-asgs Web --access Allow --protocol Tcp --description "Allow Internet to Web ASG on ports 80,8080."

Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--access

Network traffic is allowed or denied.

Accepted values: Allow, Deny

Default value: Allow

--description

Description for this rule. Restricted to 140 chars.

--destination-address-prefix

The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.

Default value: *

--destination-port-range

The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

Default value: 80

--direction

Direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

Accepted values: Inbound, Outbound

Default value: Inbound

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

--protocol

Network protocol this rule applies to.

Accepted values: *, Tcp, Udp

Default value: *

--source-address-prefix

The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.

Default value: *

--source-port-range

The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

Default value: 80

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network nsg rule delete

Delete a network security group rule.

Azure CLI

az network nsg rule delete [--ids]
                           [--name]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--nsg-name]
                           [--resource-group]
                           [--subscription]

Examples

Delete a network security group rule.

Azure CLI

az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the network security group rule.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network nsg rule list

List all rules in a network security group.

Azure CLI

az network nsg rule list [--ids]
                         [--include-default]
                         [--nsg-name]
                         [--resource-group]
                         [--subscription]

Examples

List all rules in a network security group.

Azure CLI

az network nsg rule list -g MyResourceGroup --nsg-name MyNsg

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--include-default

Include default security rules in the output.

Default value: False

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network nsg rule show

Get the details of a network security group rule.

Azure CLI

az network nsg rule show [--ids]
                         [--name]
                         [--nsg-name]
                         [--resource-group]
                         [--subscription]

Examples

Get the details of a network security group rule.

Azure CLI

az network nsg rule show -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network nsg rule update

Update a network security group rule.

Azure CLI

az network nsg rule update [--access {Allow, Deny}]
                           [--add]
                           [--description]
                           [--destination-address-prefix]
                           [--destination-port-range]
                           [--direction {Inbound, Outbound}]
                           [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                           [--ids]
                           [--name]
                           [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                           [--nsg-name]
                           [--priority]
                           [--protocol {*, Tcp, Udp}]
                           [--remove]
                           [--resource-group]
                           [--set]
                           [--source-address-prefix]
                           [--source-port-range]
                           [--subscription]

Examples

Update an NSG rule with a new wildcard destination address prefix.

Azure CLI

az network nsg rule update -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --destination-address-prefix '*'

Update a network security group rule.

Azure CLI

az network nsg rule update --name MyNsgRule --nsg-name MyNsg --resource-group MyResourceGroup --source-address-prefixes 208.130.28/24

Optional Parameters

--access

Network traffic is allowed or denied.

Accepted values: Allow, Deny

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--description

Description for this rule. Restricted to 140 chars.

--destination-address-prefix

The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.

--destination-port-range

The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

--direction

Direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

Accepted values: Inbound, Outbound

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the network security group rule.

--no-wait

Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

--nsg-name

Name of the network security group.

--priority

Priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.

--protocol

Network protocol this rule applies to.

Accepted values: *, Tcp, Udp

--remove

Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.

--source-address-prefix

The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.

--source-port-range

The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az network nsg rule wait

Place the CLI in a waiting state until a condition is met.

Azure CLI

az network nsg rule wait [--created]
                         [--custom]
                         [--deleted]
                         [--exists]
                         [--ids]
                         [--interval]
                         [--name]
                         [--nsg-name]
                         [--resource-group]
                         [--subscription]
                         [--timeout]
                         [--updated]

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

Default value: False

--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

Default value: False

--exists

Wait until the resource exists.

Default value: False

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--interval

Polling interval in seconds.

Default value: 30

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--timeout

Maximum wait in seconds.

Default value: 3600

--updated

Wait until updated with provisioningState at 'Succeeded'.

Default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.