How to assign network security groups in Azure using PowerShell

Security is a top priority for any cloud provider, and it must have the same priority for any IT department when moving their applications and infrastructure to the cloud. When using Microsoft Azure, you will be presented with a variety of security features in all shapes and forms. In today’s article, we are going to cover a basic one called network security groups (NSG for short). They are essential to protect the traffic in any given subnet within a virtual network (VNet from this point on in this article) and virtual network interfaces (vNIC).

An NSG comes with some default rules to allow the essential services to run on the new VMs, and the cloud administrator is responsible for managing all other traffic required. All rules will be evaluated based on their priority using these following five types of information: source, source port, destination, destination port, and protocol.

We will be managing the network security groups feature using PowerShell. There are two distinct cmdlets to associate an existent network security group to either a vNIC or VNet, and we will cover both of them in this article.

You can always create your network security groups during the provision of your VMs. Their presence can be seen on the very first page of the provisioning process, and then again on the Networking page of the wizard. In that last page, we can define if we don’t want an NSG at all by selecting None, and use a Basic or Advanced interface to customize the security rules.

Understanding the basic PowerShell cmdlets

Before diving into the cmdlets to configure either a VNet or vNIC, we need to get acquainted with some basic PowerShell cmdlets that are required when managing NSGs.

These cmdlets will help you to list the resource group names (first one), list the network interfaces (second line), and list the network security groups (the third one). We can always list the VMs running and their vNICs using the fourth cmdlet. Keep in mind that they are using the parameter ResourceGroupName, which was used in the first cmdlet.

  • Get-AzResourceGroup | Select ResourceGroupName
  • Get-AzNetworkInterface -ResourceGroupName “<ResourceGroupName>”
  • Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
  • Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | fl

Note: If you want to save time, you can always use a variable instead of typing in the resource group name every time.

Managing network security groups at the virtual network interface level

If you want something more specific and are applying an NSG at the VM level, in this case, the Set-AzureRMNetworkInterface cmdlet will be your tool of choice to perform this task.

The first step is to retrieve the network security groups and save the specific NSG into a variable. These two cmdlets are required:

Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
$rg = ‘ResourceGroupName’
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name ‘<NSGName>’

The second step is to list all vNICs available. First, find the vNIC attached to the VM that you want to apply the NSG. Then, we need to add the vNIC to a PowerShell variable.

Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | fl
$vNIC = Get-AzNetworkInterface -ResourceGroupName $rg -Name ‘ap-app1-vm001268’

The final step is to use the variables that we created in the previous step and apply the changes. We are going to do that using the $vNIC variable that we have just populated and configured the network security group. We are going to use the $nsg variable that we defined in the first step of this section. The process to apply the changes is to run the Set-AzuresNetworkInterface as an output of the $vNIC variable.

$vNIC.NetworkSecurityGroup = $nsg
$vNIC | Set-AzNetworkInterface

The result of the PowerShell cmdlet can be easily checked in the Azure Portal. Click on Networking (Item 1) of the VM that we have chosen to apply the network security group. The network interface will be displayed on the right side (Item 2) next to the network/subnet, public IP, and private IP information. In Item 3, we can check that the network security group is associated with the interface.

Managing NSGs at VNet level

The recommendation is always to reduce the number of network security groups, and by doing that, we can have smaller building blocks applied to a subnet instead of a specific VM.

To assign network security groups to a VNet/Subnet level is using the Set-AzureRMVirtualNetworkSubnetConfig cmdlet, which associates an NSG to a virtual network (VNet).

Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name ‘<NSGName>’

Get-AzVirtualNetwork | select Name
$VNet = get-azvirtualnetwork -Name ‘<VNet-Name>’

Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet | select Name,AddressPrefix
$VNetSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name default

Set-AzVirtualNetworkSubnetConfig -Name $VNetSubnet.Name -VirtualNetwork $VNet -AddressPrefix $VNetSubnet.AddressPrefix -NetworkSecurityGroup $nsg
$VNet | Set-AzVirtualNetwork

The results can be seen in the Azure Portal. Logged on to the portal, click on the VNet, click on Subnets (Item 1), select the desired subnet (Item 2), check the network security group to see if there is an NSG associated to the subnet.

Featured image: Pixabay

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Published by
Anderson Patricio

Recent Posts

Exchange Server log files growth and inadequate disk space allocation

When it comes to Exchange, if you build it, it will grow. Exchange Server log file growth can fill up…

2 hours ago

Hold the phone! Voice communication is becoming cool again

Business telephone conversations have largely been supplanted by email. But voice communication is far from dead — and it may…

5 hours ago

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

3 days ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

3 days ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

3 days ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

4 days ago