How to assign network security groups in Azure using PowerShell

Security is a top priority for any cloud provider, and it must have the same priority for any IT department when moving their applications and infrastructure to the cloud. When using Microsoft Azure, you will be presented with a variety of security features in all shapes and forms. In today’s article, we are going to cover a basic one called network security groups (NSG for short). They are essential to protect the traffic in any given subnet within a virtual network (VNet from this point on in this article) and virtual network interfaces (vNIC).

An NSG comes with some default rules to allow the essential services to run on the new VMs, and the cloud administrator is responsible for managing all other traffic required. All rules will be evaluated based on their priority using these following five types of information: source, source port, destination, destination port, and protocol.

We will be managing the network security groups feature using PowerShell. There are two distinct cmdlets to associate an existent network security group to either a vNIC or VNet, and we will cover both of them in this article.

You can always create your network security groups during the provision of your VMs. Their presence can be seen on the very first page of the provisioning process, and then again on the Networking page of the wizard. In that last page, we can define if we don’t want an NSG at all by selecting None, and use a Basic or Advanced interface to customize the security rules.

Understanding the basic PowerShell cmdlets

Before diving into the cmdlets to configure either a VNet or vNIC, we need to get acquainted with some basic PowerShell cmdlets that are required when managing NSGs.

These cmdlets will help you to list the resource group names (first one), list the network interfaces (second line), and list the network security groups (the third one). We can always list the VMs running and their vNICs using the fourth cmdlet. Keep in mind that they are using the parameter ResourceGroupName, which was used in the first cmdlet.

  • Get-AzResourceGroup | Select ResourceGroupName
  • Get-AzNetworkInterface -ResourceGroupName “<ResourceGroupName>”
  • Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
  • Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | fl

Note: If you want to save time, you can always use a variable instead of typing in the resource group name every time.

Managing network security groups at the virtual network interface level

If you want something more specific and are applying an NSG at the VM level, in this case, the Set-AzureRMNetworkInterface cmdlet will be your tool of choice to perform this task.

The first step is to retrieve the network security groups and save the specific NSG into a variable. These two cmdlets are required:

Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
$rg = ‘ResourceGroupName’
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name ‘<NSGName>’

The second step is to list all vNICs available. First, find the vNIC attached to the VM that you want to apply the NSG. Then, we need to add the vNIC to a PowerShell variable.

Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | fl
$vNIC = Get-AzNetworkInterface -ResourceGroupName $rg -Name ‘ap-app1-vm001268’

The final step is to use the variables that we created in the previous step and apply the changes. We are going to do that using the $vNIC variable that we have just populated and configured the network security group. We are going to use the $nsg variable that we defined in the first step of this section. The process to apply the changes is to run the Set-AzuresNetworkInterface as an output of the $vNIC variable.

$vNIC.NetworkSecurityGroup = $nsg
$vNIC | Set-AzNetworkInterface

The result of the PowerShell cmdlet can be easily checked in the Azure Portal. Click on Networking (Item 1) of the VM that we have chosen to apply the network security group. The network interface will be displayed on the right side (Item 2) next to the network/subnet, public IP, and private IP information. In Item 3, we can check that the network security group is associated with the interface.

Managing NSGs at VNet level

The recommendation is always to reduce the number of network security groups, and by doing that, we can have smaller building blocks applied to a subnet instead of a specific VM.

To assign network security groups to a VNet/Subnet level is using the Set-AzureRMVirtualNetworkSubnetConfig cmdlet, which associates an NSG to a virtual network (VNet).

Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name ‘<NSGName>’

Get-AzVirtualNetwork | select Name
$VNet = get-azvirtualnetwork -Name ‘<VNet-Name>’

Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet | select Name,AddressPrefix
$VNetSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name default

Set-AzVirtualNetworkSubnetConfig -Name $VNetSubnet.Name -VirtualNetwork $VNet -AddressPrefix $VNetSubnet.AddressPrefix -NetworkSecurityGroup $nsg
$VNet | Set-AzVirtualNetwork

The results can be seen in the Azure Portal. Logged on to the portal, click on the VNet, click on Subnets (Item 1), select the desired subnet (Item 2), check the network security group to see if there is an NSG associated to the subnet.

Featured image: Pixabay

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Published by
Anderson Patricio

Recent Posts

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

1 hour ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

19 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

22 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

1 day ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago