Security Rules - Create Or Update

Creates or updates a security rule in the specified network security group.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2024-03-01

URI Parameters

Name In Required Type Description
networkSecurityGroupName
path True

string

The name of the network security group.

resourceGroupName
path True

string

The name of the resource group.

securityRuleName
path True

string

The name of the security rule.

subscriptionId
path True

string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True

string

Client API version.

Request Body

Name Required Type Description
properties.access True

SecurityRuleAccess

The network traffic is allowed or denied.

properties.direction True

SecurityRuleDirection

The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

properties.priority True

integer

The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.

properties.protocol True

SecurityRuleProtocol

Network protocol this rule applies to.

id

string

Resource ID.

name

string

The name of the resource that is unique within a resource group. This name can be used to access the resource.

properties.description

string

A description for this rule. Restricted to 140 chars.

properties.destinationAddressPrefix

string

The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.

properties.destinationAddressPrefixes

string[]

The destination address prefixes. CIDR or destination IP ranges.

properties.destinationApplicationSecurityGroups

ApplicationSecurityGroup[]

The application security group specified as destination.

properties.destinationPortRange

string

The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

properties.destinationPortRanges

string[]

The destination port ranges.

properties.sourceAddressPrefix

string

The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.

properties.sourceAddressPrefixes

string[]

The CIDR or source IP ranges.

properties.sourceApplicationSecurityGroups

ApplicationSecurityGroup[]

The application security group specified as source.

properties.sourcePortRange

string

The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

properties.sourcePortRanges

string[]

The source port ranges.

type

string

The type of the resource.

Responses

Name Type Description
200 OK

SecurityRule

Update successful. The operation returns the resulting SecurityRule resource.

201 Created

SecurityRule

Create successful. The operation returns the resulting SecurityRule resource.

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create security rule

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/testnsg/securityRules/rule1?api-version=2024-03-01

{
  "properties": {
    "protocol": "*",
    "sourceAddressPrefix": "10.0.0.0/8",
    "destinationAddressPrefix": "11.0.0.0/8",
    "access": "Deny",
    "destinationPortRange": "8080",
    "sourcePortRange": "*",
    "priority": 100,
    "direction": "Outbound"
  }
}

Sample response

{
  "name": "rule1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/testnsg/securityRules/rule1",
  "properties": {
    "provisioningState": "Succeeded",
    "protocol": "*",
    "sourcePortRange": "*",
    "destinationPortRange": "8080",
    "sourceAddressPrefix": "10.0.0.0/8",
    "destinationAddressPrefix": "11.0.0.0/8",
    "access": "Deny",
    "priority": 100,
    "direction": "Outbound"
  }
}
{
  "name": "rule1",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/testnsg/securityRules/rule1",
  "properties": {
    "provisioningState": "Succeeded",
    "protocol": "*",
    "sourcePortRange": "*",
    "destinationPortRange": "8080",
    "sourceAddressPrefix": "10.0.0.0/8",
    "destinationAddressPrefix": "11.0.0.0/8",
    "access": "Deny",
    "priority": 100,
    "direction": "Outbound"
  }
}

Definitions

Name Description
ApplicationSecurityGroup

An application security group in a resource group.

CloudError

An error response from the service.

CloudErrorBody

An error response from the service.

ProvisioningState

The current provisioning state.

SecurityRule

Network security rule.

SecurityRuleAccess

Whether network traffic is allowed or denied.

SecurityRuleDirection

The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

SecurityRuleProtocol

Network protocol this rule applies to.

ApplicationSecurityGroup

An application security group in a resource group.

Name Type Description
etag

string

A unique read-only string that changes whenever the resource is updated.

id

string

Resource ID.

location

string

Resource location.

name

string

Resource name.

properties.provisioningState

ProvisioningState

The provisioning state of the application security group resource.

properties.resourceGuid

string

The resource GUID property of the application security group resource. It uniquely identifies a resource, even if the user changes its name or migrate the resource across subscriptions or resource groups.

tags

object

Resource tags.

type

string

Resource type.

CloudError

An error response from the service.

Name Type Description
error

CloudErrorBody

Cloud error body.

CloudErrorBody

An error response from the service.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

details

CloudErrorBody[]

A list of additional details about the error.

message

string

A message describing the error, intended to be suitable for display in a user interface.

target

string

The target of the particular error. For example, the name of the property in error.

ProvisioningState

The current provisioning state.

Name Type Description
Deleting

string

Failed

string

Succeeded

string

Updating

string

SecurityRule

Network security rule.

Name Type Description
etag

string

A unique read-only string that changes whenever the resource is updated.

id

string

Resource ID.

name

string

The name of the resource that is unique within a resource group. This name can be used to access the resource.

properties.access

SecurityRuleAccess

The network traffic is allowed or denied.

properties.description

string

A description for this rule. Restricted to 140 chars.

properties.destinationAddressPrefix

string

The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.

properties.destinationAddressPrefixes

string[]

The destination address prefixes. CIDR or destination IP ranges.

properties.destinationApplicationSecurityGroups

ApplicationSecurityGroup[]

The application security group specified as destination.

properties.destinationPortRange

string

The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

properties.destinationPortRanges

string[]

The destination port ranges.

properties.direction

SecurityRuleDirection

The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

properties.priority

integer

The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.

properties.protocol

SecurityRuleProtocol

Network protocol this rule applies to.

properties.provisioningState

ProvisioningState

The provisioning state of the security rule resource.

properties.sourceAddressPrefix

string

The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.

properties.sourceAddressPrefixes

string[]

The CIDR or source IP ranges.

properties.sourceApplicationSecurityGroups

ApplicationSecurityGroup[]

The application security group specified as source.

properties.sourcePortRange

string

The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.

properties.sourcePortRanges

string[]

The source port ranges.

type

string

The type of the resource.

SecurityRuleAccess

Whether network traffic is allowed or denied.

Name Type Description
Allow

string

Deny

string

SecurityRuleDirection

The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic.

Name Type Description
Inbound

string

Outbound

string

SecurityRuleProtocol

Network protocol this rule applies to.

Name Type Description
*

string

Ah

string

Esp

string

Icmp

string

Tcp

string

Udp

string