Network Interfaces - List Effective Network Security Groups

Service:

Virtual Networks

API Version:

2023-09-01

Gets all network security groups applied to a network interface.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{networkInterfaceName}/effectiveNetworkSecurityGroups?api-version=2023-09-01

URI Parameters

Name	In	Required	Type	Description
networkInterfaceName	path	True	string	The name of the network interface.
resourceGroupName	path	True	string	The name of the resource group.
subscriptionId	path	True	string	The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version	query	True	string	Client API version.

Responses

Name	Type	Description
200 OK	EffectiveNetworkSecurityGroupListResult	Request successful. The operation returns a list of NetworkSecurityGroup resources.
202 Accepted		Accepted and the operation will complete asynchronously.
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

List network interface effective network security groups

Sample Request

HTTP

POST https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkInterfaces/nic1/effectiveNetworkSecurityGroups?api-version=2023-09-01

Python

from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-network
# USAGE
    python network_interface_effective_nsg_list.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetworkManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    response = client.network_interfaces.begin_list_effective_network_security_groups(
        resource_group_name="rg1",
        network_interface_name="nic1",
    ).result()
    print(response)


# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkInterfaceEffectiveNSGList.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armnetwork_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkInterfaceEffectiveNSGList.json
func ExampleInterfacesClient_BeginListEffectiveNetworkSecurityGroups() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewInterfacesClient().BeginListEffectiveNetworkSecurityGroups(ctx, "rg1", "nic1", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	res, err := poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.EffectiveNetworkSecurityGroupListResult = armnetwork.EffectiveNetworkSecurityGroupListResult{
	// 	Value: []*armnetwork.EffectiveNetworkSecurityGroup{
	// 		{
	// 			Association: &armnetwork.EffectiveNetworkSecurityGroupAssociation{
	// 				NetworkInterface: &armnetwork.SubResource{
	// 					ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkInterfaces/nic1"),
	// 				},
	// 				NetworkManager: &armnetwork.SubResource{
	// 					ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkManagers/nm1"),
	// 				},
	// 				Subnet: &armnetwork.SubResource{
	// 					ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/rg1-vnet/subnets/default"),
	// 				},
	// 			},
	// 			EffectiveSecurityRules: []*armnetwork.EffectiveNetworkSecurityRule{
	// 				{
	// 					Name: to.Ptr("securityRules/rule1"),
	// 					Access: to.Ptr(armnetwork.SecurityRuleAccessAllow),
	// 					DestinationAddressPrefix: to.Ptr("0.0.0.0/32"),
	// 					DestinationPortRange: to.Ptr("6579-6579"),
	// 					Direction: to.Ptr(armnetwork.SecurityRuleDirectionInbound),
	// 					Priority: to.Ptr[int32](234),
	// 					SourceAddressPrefix: to.Ptr("0.0.0.0/32"),
	// 					SourcePortRange: to.Ptr("456-456"),
	// 					Protocol: to.Ptr(armnetwork.EffectiveSecurityRuleProtocolTCP),
	// 				},
	// 				{
	// 					Name: to.Ptr("securityRules/default-allow-rdp"),
	// 					Access: to.Ptr(armnetwork.SecurityRuleAccessAllow),
	// 					DestinationAddressPrefix: to.Ptr("0.0.0.0/0"),
	// 					DestinationPortRange: to.Ptr("3389-3389"),
	// 					Direction: to.Ptr(armnetwork.SecurityRuleDirectionInbound),
	// 					Priority: to.Ptr[int32](1000),
	// 					SourceAddressPrefix: to.Ptr("1.1.1.1/32"),
	// 					SourcePortRange: to.Ptr("0-65535"),
	// 					Protocol: to.Ptr(armnetwork.EffectiveSecurityRuleProtocolTCP),
	// 				},
	// 				{
	// 					Name: to.Ptr("defaultSecurityRules/AllowInternetOutBound"),
	// 					Access: to.Ptr(armnetwork.SecurityRuleAccessAllow),
	// 					DestinationAddressPrefix: to.Ptr("Internet"),
	// 					DestinationPortRange: to.Ptr("0-65535"),
	// 					Direction: to.Ptr(armnetwork.SecurityRuleDirectionOutbound),
	// 					ExpandedDestinationAddressPrefix: []*string{
	// 						to.Ptr("32.0.0.0/3"),
	// 						to.Ptr("4.0.0.0/6"),
	// 						to.Ptr("2.0.0.0/7"),
	// 						to.Ptr("1.0.0.0/8")},
	// 						Priority: to.Ptr[int32](65001),
	// 						SourceAddressPrefix: to.Ptr("0.0.0.0/0"),
	// 						SourcePortRange: to.Ptr("0-65535"),
	// 						Protocol: to.Ptr(armnetwork.EffectiveSecurityRuleProtocolAll),
	// 				}},
	// 				NetworkSecurityGroup: &armnetwork.SubResource{
	// 					ID: to.Ptr("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/test-nsg"),
	// 				},
	// 		}},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Gets all network security groups applied to a network interface.
 *
 * @summary Gets all network security groups applied to a network interface.
 * x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkInterfaceEffectiveNSGList.json
 */
async function listNetworkInterfaceEffectiveNetworkSecurityGroups() {
  const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
  const networkInterfaceName = "nic1";
  const credential = new DefaultAzureCredential();
  const client = new NetworkManagementClient(credential, subscriptionId);
  const result = await client.networkInterfaces.beginListEffectiveNetworkSecurityGroupsAndWait(
    resourceGroupName,
    networkInterfaceName,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;

// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkInterfaceEffectiveNSGList.json
// this example is just showing the usage of "NetworkInterfaces_ListEffectiveNetworkSecurityGroups" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this NetworkInterfaceResource created on azure
// for more information of creating NetworkInterfaceResource, please refer to the document of NetworkInterfaceResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
string networkInterfaceName = "nic1";
ResourceIdentifier networkInterfaceResourceId = NetworkInterfaceResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, networkInterfaceName);
NetworkInterfaceResource networkInterface = client.GetNetworkInterfaceResource(networkInterfaceResourceId);

// invoke the operation
ArmOperation<EffectiveNetworkSecurityGroupListResult> lro = await networkInterface.GetEffectiveNetworkSecurityGroupsAsync(WaitUntil.Completed);
EffectiveNetworkSecurityGroupListResult result = lro.Value;

Console.WriteLine($"Succeeded: {result}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "value": [
    {
      "networkSecurityGroup": {
        "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/test-nsg"
      },
      "association": {
        "networkManager": {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkManagers/nm1"
        },
        "subnet": {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/rg1-vnet/subnets/default"
        },
        "networkInterface": {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkInterfaces/nic1"
        }
      },
      "effectiveSecurityRules": [
        {
          "name": "securityRules/rule1",
          "protocol": "Tcp",
          "sourcePortRange": "456-456",
          "destinationPortRange": "6579-6579",
          "sourceAddressPrefix": "0.0.0.0/32",
          "destinationAddressPrefix": "0.0.0.0/32",
          "access": "Allow",
          "priority": 234,
          "direction": "Inbound"
        },
        {
          "name": "securityRules/default-allow-rdp",
          "protocol": "Tcp",
          "sourcePortRange": "0-65535",
          "destinationPortRange": "3389-3389",
          "sourceAddressPrefix": "1.1.1.1/32",
          "destinationAddressPrefix": "0.0.0.0/0",
          "access": "Allow",
          "priority": 1000,
          "direction": "Inbound"
        },
        {
          "name": "defaultSecurityRules/AllowInternetOutBound",
          "protocol": "All",
          "sourcePortRange": "0-65535",
          "destinationPortRange": "0-65535",
          "sourceAddressPrefix": "0.0.0.0/0",
          "destinationAddressPrefix": "Internet",
          "expandedDestinationAddressPrefix": [
            "32.0.0.0/3",
            "4.0.0.0/6",
            "2.0.0.0/7",
            "1.0.0.0/8"
          ],
          "access": "Allow",
          "priority": 65001,
          "direction": "Outbound"
        }
      ]
    }
  ]
}

Status code:

202

Location: https://management.azure.com//subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/test-nsg/operationResults/00000000-0000-0000-0000-000000000000?api-version=2023-09-01

Definitions

Name	Description
CloudError	An error response from the service.
CloudErrorBody	An error response from the service.
EffectiveNetworkSecurityGroup	Effective network security group.
EffectiveNetworkSecurityGroupAssociation	The effective network security group association.
EffectiveNetworkSecurityGroupListResult	Response for list effective network security groups API service call.
EffectiveNetworkSecurityRule	Effective network security rules.
EffectiveSecurityRuleProtocol	The network protocol this rule applies to.
SecurityRuleAccess	Whether network traffic is allowed or denied.
SecurityRuleDirection	The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.
SubResource	Reference to another subresource.

CloudError

An error response from the service.

Name	Type	Description
error	CloudErrorBody	Cloud error body.

CloudErrorBody

An error response from the service.

Name	Type	Description
code	string	An identifier for the error. Codes are invariant and are intended to be consumed programmatically.
details	CloudErrorBody[]	A list of additional details about the error.
message	string	A message describing the error, intended to be suitable for display in a user interface.
target	string	The target of the particular error. For example, the name of the property in error.

EffectiveNetworkSecurityGroup

Effective network security group.

Name	Type	Description
association	EffectiveNetworkSecurityGroupAssociation	Associated resources.
effectiveSecurityRules	EffectiveNetworkSecurityRule[]	A collection of effective security rules.
networkSecurityGroup	SubResource	The ID of network security group that is applied.
tagMap	object	Mapping of tags to list of IP Addresses included within the tag.

EffectiveNetworkSecurityGroupAssociation

The effective network security group association.

Name	Type	Description
networkInterface	SubResource	The ID of the network interface if assigned.
networkManager	SubResource	The ID of the Azure network manager if assigned.
subnet	SubResource	The ID of the subnet if assigned.

EffectiveNetworkSecurityGroupListResult

Response for list effective network security groups API service call.

Name	Type	Description
nextLink	string	The URL to get the next set of results.
value	EffectiveNetworkSecurityGroup[]	A list of effective network security groups.

EffectiveNetworkSecurityRule

Effective network security rules.

Name	Type	Description
access	SecurityRuleAccess	Whether network traffic is allowed or denied.
destinationAddressPrefix	string	The destination address prefix.
destinationAddressPrefixes	string[]	The destination address prefixes. Expected values include CIDR IP ranges, Default Tags (VirtualNetwork, AzureLoadBalancer, Internet), System Tags, and the asterisk (*).
destinationPortRange	string	The destination port or range.
destinationPortRanges	string[]	The destination port ranges. Expected values include a single integer between 0 and 65535, a range using '-' as separator (e.g. 100-400), or an asterisk (*).
direction	SecurityRuleDirection	The direction of the rule.
expandedDestinationAddressPrefix	string[]	Expanded destination address prefix.
expandedSourceAddressPrefix	string[]	The expanded source address prefix.
name	string	The name of the security rule specified by the user (if created by the user).
priority	integer	The priority of the rule.
protocol	EffectiveSecurityRuleProtocol	The network protocol this rule applies to.
sourceAddressPrefix	string	The source address prefix.
sourceAddressPrefixes	string[]	The source address prefixes. Expected values include CIDR IP ranges, Default Tags (VirtualNetwork, AzureLoadBalancer, Internet), System Tags, and the asterisk (*).
sourcePortRange	string	The source port or range.
sourcePortRanges	string[]	The source port ranges. Expected values include a single integer between 0 and 65535, a range using '-' as separator (e.g. 100-400), or an asterisk (*).

EffectiveSecurityRuleProtocol

The network protocol this rule applies to.

Name	Type	Description
All	string
Tcp	string
Udp	string

SecurityRuleAccess

Whether network traffic is allowed or denied.

Name	Type	Description
Allow	string
Deny	string

SecurityRuleDirection

The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

Name	Type	Description
Inbound	string
Outbound	string

SubResource

Reference to another subresource.

Name	Type	Description
id	string	Resource ID.