Network Security Rules
Start course
1h 26m

This course covers how to implement Azure network security. Through a combination of both theory and practical demonstrations, you will learn how to create and configure a range of Azure services designed to keep your network secure.

This includes topics such as virtual network connectivity, the Azure Front Door Service, NSG configuration, Azure firewall configuration, and application security groups. The course then moves on to the configuration of remote access management via just-in-time access and tools that are used to configure baselines.

We’d love to get your feedback on this course, so please give it a rating when you’re finished. If you have any queries or suggestions, please contact us at

Learning Objectives

  • Understand how to implement Azure network security
  • Learn about the various Azure services and methodologies available to secure your network

Intended Audience

This course is intended for IT professionals who are interested in earning Azure certification and for those who work with Microsoft Azure on a daily basis.


To get the most from this course, you should have at least a basic understanding of Azure network resources such as virtual networks, Azure firewalls, and network security groups.



Hi, everyone, and welcome back. Before I show you how to create network security rules within a network security group, I just wanted to quickly run through an overview of the different options that are available when configuring a rule. On the screen here, I'm on the page of my network security group, where I can view the security rules for MyNSG. As you can see here on the screen, this security group only contains the default set of rules that's created when the group is created. If I want to create inbound rules, I need to click over here on the Inbound Security Rules option. I would click on Outbound Security Rules to create an outbound rule.

Clicking on Add opens up the new rule blade. Now, in this source box here I have a few different options. I can set my source to Any, Application security group, IP addresses, or Service tag. If I select Application security group here, I'm prompted to select one or more existing application security groups. If I select IP addresses, I can specify either source IP addresses, or entire CIDR ranges. I can specify a single value, or a comma-separated list of multiple values. For example, I could specify multiple values like and then separate it with a comma and then an individual address,

Now, I should point out that if I specify an IP address of an Azure VM here, I need to ensure that I specify the private IP address and not the public IP address that's assigned to the VM. This is because security rules are processed after Azure translates the public IP to a private IP for inbound security rules and before Azure translates a private IP to a public IP for outbound rules.

Now, if I select Service tag here, I can then select one service tag. These service tags are predefined identifiers for different categories of IP addresses. They include things like HTTP, RDP, storage, load balancers, you name it. There are really too many options to list here, so I do suggest that you play around with this to see all the different options.

Now, for the source port ranges field here, I can specify a single port like port 80. Now, I can also specify a range of ports like 1024, for example, through 1200. I can even specify a comma-delimited list of port ranges, or even ports. For example, I can do port 80,443,3389 and then I can even do like 1000 to 1200. So, I can use comma-delimited lists as well.

Now what I can also do, and if you see down here at the bottom, the recommended value. The recommended value for source port ranges is * or Any, and this is because port filtering, as Microsoft notes here, is typically used with a destination port. So, we can leave this at * for Any as well.

The destination field offers me some additional options here. I can select Any, IP Addresses, Virtual Network, or Application security group. As was the case up here with source, if I select Application security group, it's going to ask me to specify a defined security group. I don't have any configured here, so it's telling me as much right here. And then of course, if I specify an IP address here, the same rules apply in my destination IP addresses CIDR ranges as applied up here in my source IP addresses and CIDR ranges.

As was the case in the source, if the IP address that I specify is assigned to an Azure VM, I need to make sure that I specify the private IP, not the public IP, assigned to that VM for the same reasons I mentioned up here.

Now, selecting virtual network here for destination, which is actually a service tag. What this means is that traffic is allowed to all IP addresses within the address space of the specified virtual network. Now, selecting virtual network here, which is actually a service tag, means that traffic is allowed to all IP addresses within the address space of the virtual network. The destination port ranges option allows me to specify a single value or a comma-separated list of values that specify the destination ports that I'm allowing traffic to.

The protocol option here allows me to select Any protocol, TCP, UDP, or ICMP. So, I can filter down on what protocols I'm allowing. And then, of course, the action field determines the result of matching the rule. I can choose to either allow or deny.

Priority allows me to provide a value between 100 and 4,096. This has to be unique for all security rules within the network security group. Security rules are processed in priority order and what that means is, the lower the number, the higher the priority.

Microsoft actually recommends that you leave a gap between priority numbers when you create your rules. So for example, instead of setting priorities of one, two, and three, use values like 100, 200, and 300. Leaving gaps makes it easier to add rules in the future without juggling priority values.

Then when you create a rule, the name for the rule needs to be unique within the network security group. It can be up to 80 characters in length and it must begin with a letter, or a number, end with a letter, number, or underscore, and it can only contain letters, numbers, underscores, periods, or hyphens. Essentially no spaces. And, of course, the description here is optional. We don't have the little red star here telling us it's mandatory.

So now that you have an idea of what all is involved in creating a rule, we'll jump into the next lesson where I'll show you exactly how to create a new rule.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.