manage-network-security-group.md

title	Create, Change, or Delete Azure Network Security Groups
titlesuffix	Azure Virtual Network
description	Learn to create, change, or delete Azure network security groups (NSGs) to control traffic flow and enhance network security with Portal, PowerShell, and CLI examples.
services	virtual-network
author	asudbring
ms.service	azure-virtual-network
ms.topic	how-to
ms.date	07/26/2025
ms.author	allensu
ms.custom	template-how-to engagement-fy23 devx-track-azurepowershell devx-track-azurecli sfi-image-nochange

Create, change, or delete a network security group

Network security groups (NSGs) control network traffic flow through security rules that filter traffic in and out of virtual network subnets and network interfaces. This guide shows you how to create, change, or delete network security groups to enhance your Azure virtual network security. Learn to manage NSG rules using the Azure portal, PowerShell, and Azure CLI. To learn more about NSGs, see Network security group overview. Next, complete the Filter network traffic tutorial to gain hands-on experience with NSGs.

Prerequisites

If you don't have an Azure account with an active subscription, create one for free. Complete one of these tasks before you start the remainder of this article:

• Portal users: Sign in to the Azure portal with your Azure account.

• PowerShell users: Either run the commands in Azure Cloud Shell or run PowerShell locally from your computer. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools that are preinstalled and configured to use with your account. On the Cloud Shell browser tab, find the Select environment dropdown list. Then select PowerShell if it isn't already selected.

  If you're running PowerShell locally, use Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az.Network to find the installed version. If you need to install or upgrade, see Install Azure PowerShell module. Run Connect-AzAccount to sign in to Azure.

• Azure CLI users: Either run the commands in Cloud Shell or run the Azure CLI locally from your computer. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools that are preinstalled and configured to use with your account. On the Cloud Shell browser tab, find the Select environment dropdown list. Then select Bash if it isn't already selected.

  If you're running the Azure CLI locally, use Azure CLI version 2.0.28 or later. Run az --version to find the installed version. If you need to install or upgrade, see Install the Azure CLI. Run az login to sign in to Azure.

Assign the Network Contributor role or a custom role with the appropriate permissions.

Work with network security groups

You can create, view all, view details of, change, and delete an NSG. You can also associate or dissociate an NSG from a network interface or a subnet.

Create a network security group

Azure limits the number of NSGs that you can create for each Azure region and subscription. To learn more, see Azure subscription and service limits, quotas, and constraints.

Portal

1. In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

2. Select + Create.

3. On the Create network security group page, under the Basics tab, enter or select the following values:

   Setting	Action
   Project details
   Subscription	Select your Azure subscription.
   Resource group	Select an existing resource group, or create a new one by selecting Create new. This example uses the myResourceGroup resource group.
   Instance details
   Network security group name	Enter a name for your new NSG. This example uses the name myNSG.
   Region	Select the desired region where you want to create the NSG.

4. Select Review + create.

5. After you see the Validation passed message, select Create.

PowerShell

Use New-AzNetworkSecurityGroup to create an NSG named myNSG in the East US region. The NSG named myNSG is created in the existing myResourceGroup resource group.

# Define parameters for the new NSG
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
    Location          = "eastus"
}

# Create the network security group
New-AzNetworkSecurityGroup @NSGParams

Azure CLI

Use az network nsg create to create an NSG named myNSG in the existing myResourceGroup resource group.

az network nsg create \
    --resource-group myResourceGroup \
    --name myNSG

---

View all network security groups

Portal

In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results to see the list of NSGs in your subscription.

:::image type="content" source="./media/manage-network-security-group/view-network-security-groups.png" alt-text="Screenshot of the Network security groups list in the Azure portal.":::

PowerShell

Use Get-AzNetworkSecurityGroup to list all the NSGs in your subscription.

Get-AzNetworkSecurityGroup | format-table Name, Location, ResourceGroupName, ProvisioningState, ResourceGuid

Azure CLI

Use az network nsg list to list all the NSGs in your subscription.

az network nsg list --out table

---

View details of a network security group

Portal

1. In the search box at the top of the portal, enter Network security group and select Network security groups in the search results.

2. Select the name of your NSG.

   • In Settings, view the Inbound security rules, Outbound security rules, Network interfaces, and Subnets that the NSG associates with.

   • In Monitoring, enable or disable Diagnostic settings. For more information, see Resource logging for a network security group.

   • In Help, view Effective security rules. For more information, see Diagnose a virtual machine (VM) network traffic filter problem.

   :::image type="content" source="./media/manage-network-security-group/network-security-group-details-inline.png" alt-text="Screenshot of the Network security group page in the Azure portal." lightbox="./media/manage-network-security-group/network-security-group-details-expanded.png":::

To learn more about the common Azure settings that are listed, see the following articles:

• Activity logs

• Access control identity and access management (IAM)

• Tags

• Locks

• Automation script

PowerShell

Use Get-AzNetworkSecurityGroup to view the details of an NSG.

# Define parameters for the NSG
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Retrieve the NSG
Get-AzNetworkSecurityGroup @NSGParams

To learn more about the common Azure settings that are listed, see the following articles:

• Activity logs

• Access control (IAM)

• Tags

• Locks

Azure CLI

Use az network nsg show to view the details of an NSG.

az network nsg show \
    --resource-group myResourceGroup \
    --name myNSG

To learn more about the common Azure settings that are listed, see the following articles:

• Activity logs

• Access control (IAM)

• Tags

• Locks

---

Change a network security group

The most common changes to an NSG are:

• Associate or dissociate a network security group to or from a network interface

• Associate or dissociate a network security group to or from a subnet

• Create a security rule

• Delete a security rule

Associate or dissociate a network security group to or from a network interface

For more information about the association and dissociation of an NSG, see Associate or dissociate a network security group.

Associate or dissociate a network security group to or from a subnet

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of your NSG, and then select Subnets.

   • To associate an NSG to the subnet, select + Associate. Then select your virtual network and the subnet to which you want to associate the NSG. Select OK.

     :::image type="content" source="./media/manage-network-security-group/associate-subnet-network-security-group.png" alt-text="Screenshot of associating a network security group to a subnet in the Azure portal.":::

   • To dissociate an NSG from the subnet, select the three dots next to the subnet from which you want to dissociate the NSG, and then select Dissociate. Select Yes.

     :::image type="content" source="./media/manage-network-security-group/dissociate-subnet-network-security-group.png" alt-text="Screenshot of dissociating an NSG from a subnet in the Azure portal.":::

PowerShell

Use Set-AzVirtualNetworkSubnetConfig to associate or dissociate an NSG to or from a subnet.

# Define parameters for the virtual network and subnet configuration
$VNetParams = @{
    Name              = "myVNet"
    ResourceGroupName = "myResourceGroup"
}
$SubnetParams = @{
    Name              = "mySubnet"
    AddressPrefix     = "10.0.0.0/24"
    NetworkSecurityGroup = $networkSecurityGroup
}

# Retrieve the virtual network
$virtualNetwork = Get-AzVirtualNetwork @VNetParams

# Update the subnet configuration
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork @SubnetParams

# Update the virtual network
Set-AzVirtualNetwork -VirtualNetwork $virtualNetwork

Azure CLI

Use az network vnet subnet update to associate or dissociate an NSG to or from a subnet.

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVNet \
    --name mySubnet \
    --network-security-group myNSG

---

Delete a network security group

If an NSG is associated with any subnets or network interfaces, you can't delete it. Dissociate an NSG from all subnets and network interfaces before you attempt to delete it.

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the NSG that you want to delete.

3. Select Delete, and then select Yes in the confirmation dialog box.

   :::image type="content" source="./media/manage-network-security-group/delete-network-security-group.png" alt-text="Screenshot of deleting a network security group in the Azure portal.":::

PowerShell

Use Remove-AzNetworkSecurityGroup to delete an NSG.

# Define parameters for the NSG to be removed
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Remove the NSG
Remove-AzNetworkSecurityGroup @NSGParams

Azure CLI

Use az network nsg delete to delete an NSG.

az network nsg delete \
    --resource-group myResourceGroup \
    --name myNSG

---

Work with security rules

An NSG can contain multiple security rules. You can create, view all, view details of, change, and delete a security rule.

Create a security rule

Azure limits the number of rules per NSG that you can create for each Azure location and subscription. To learn more, see Azure subscription and service limits, quotas, and constraints.

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG to which you want to add a security rule.

3. Select Inbound security rules or Outbound security rules.

   When you create an NSG, Azure creates several default security rules in it. To learn more, see Default security rules. You can't delete default security rules, but you can override them with rules that have a higher priority.

4. Select + Add. Select or add values for the following settings, and then select Add.

   Setting	Value	Details
   Source	One of: Any IP Addresses My IP address Service Tag Application security group	If you select IP Addresses, you must also specify Source IP addresses/CIDR ranges. If you select Service Tag, you must also select a Source service tag. If you select Application security group, you must also select an existing application security group. If you select Application security group for both Source and Destination, the network interfaces within both application security groups must be in the same virtual network. Learn how to create an application security group.
   Source IP addresses/CIDR ranges	A comma-delimited list of IP addresses and Classless Interdomain Routing (CIDR) ranges	This setting appears if you set Source to IP Addresses. You must specify a single value or comma-separated list of multiple values. An example of multiple values is 10.0.0.0/16, 192.188.1.1. The number of values that you can specify is limited. For more information, see Azure limits. If the IP address that you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Learn more about NSG rules' IP address translation behavior in the overview.
   Source service tag	A service tag from the dropdown list	This setting appears if you set Source to Service Tag for a security rule. A service tag is a predefined identifier for a category of IP addresses. To learn more about available service tags, and what each tag represents, see Service tags.
   Source application security group	An existing application security group	This setting appears if you set Source to Application security group. Select an application security group that exists in the same region as the network interface. Learn how to create an application security group.
   Source port ranges	One of: A single port, such as 80 A range of ports, such as 1024-65535 A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535 An asterisk (*) to allow traffic on any port	This setting specifies the ports on which the rule allows or denies traffic. The number of ports that you can specify is limited. For more information, see Azure limits.
   Destination	One of: Any IP Addresses Service Tag Application security group	If you select IP Addresses, you must also specify Destination IP addresses/CIDR ranges. If you select Service Tag, you must also select a Destination service tag. If you select Application security group, you must also select an existing application security group. If you select Application security group for both Source and Destination, the network interfaces within both application security groups must be in the same virtual network. Learn how to create an application security group.
   Destination IP addresses/CIDR ranges	A comma-delimited list of IP addresses and CIDR ranges	This setting appears if you change Destination to IP Addresses. You can specify single or multiple addresses or ranges like you can do with Source and Source IP addresses/CIDR ranges. The number that you can specify is limited. For more information, see Azure limits. If the IP address that you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Learn more about NSG rules' IP address translation behavior in the overview.
   Destination service tag	A service tag from the dropdown list	This setting appears if you set Destination to Service Tag for a security rule. A service tag is a predefined identifier for a category of IP addresses. To learn more about available service tags, and what each tag represents, see Service tags.
   Destination application security group	An existing application security group	This setting appears if you set Destination to Application security group. Select an application security group that exists in the same region as the network interface. Learn how to create an application security group.
   Service	A destination protocol from the dropdown list	This setting specifies the destination protocol and port range for the security rule. You can select a predefined service, like RDP, or select Custom and provide the port range in Destination port ranges.
   Destination port ranges	One of: A single port, such as 80 A range of ports, such as 1024-65535 A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535 An asterisk (*) to allow traffic on any port	As with Source port ranges, you can specify single or multiple ports and ranges. The number that you can specify is limited. For more information, see Azure limits.
   Protocol	Any, TCP, UDP, or ICMP	You can restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMPv4 or ICMPv6). The default is for the rule to apply to all protocols (Any).
   Action	Allow or Deny	This setting specifies whether this rule allows or denies access for the supplied source and destination configuration.
   Priority	A value between 100 and 4096 that is unique for all security rules within the NSG	Azure processes security rules in priority order. The lower the number, the higher the priority. We recommend that you leave a gap between priority numbers when you create rules, such as 100, 200, and 300. Leaving gaps makes it easier to add rules in the future so that you can give them higher or lower priority than existing rules.
   Name	A unique name for the rule within the NSG	The name can be up to 80 characters. It must begin with a letter or number, and it must end with a letter, number, or underscore. The name can contain only letters, numbers, underscores, periods, or hyphens.
   Description	A text description	You can optionally specify a text description for the security rule. The description can't be longer than 140 characters.

   :::image type="content" source="./media/manage-network-security-group/add-security-rule.png" alt-text="Screenshot of adding a security rule to a network security group in the Azure portal.":::

PowerShell

Use Add-AzNetworkSecurityRuleConfig to create an NSG rule.

# Define parameters for the NSG and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name                 = "RDP-rule"
    Description          = "Allow RDP"
    Access               = "Allow"
    Protocol             = "Tcp"
    Direction            = "Inbound"
    Priority             = 300
    SourceAddressPrefix  = "*"
    SourcePortRange      = "*"
    DestinationAddressPrefix = "*"
    DestinationPortRange = 3389
}

# Retrieve the NSG
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Add the security rule to the NSG
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the NSG
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Azure CLI

Use az network nsg rule create to create an NSG rule.

az network nsg rule create \
    --resource-group myResourceGroup \
    --nsg-name myNSG \
    --name RDP-rule \
    --priority 300 \
    --destination-address-prefixes '*' \
    --destination-port-ranges 3389 \
    --protocol Tcp \
    --description "Allow RDP"

---

Duplicate security rules

To duplicate existing security rules, you can export the JSON of the existing NSG, extract the securityRules, and include it in your ARM template.

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG for which you want to duplicate the rules.

3. In the NSG's Overview page, expand the Essentials section and select the JSON View link on the far right.

4. In the Resource JSON half-pane, find "properties". Within "properties", find "securityRules". Copy the full object of the security rule or rules you want to duplicate.

5. In the search box at the top of the portal, enter Deploy a custom template and select it in the search results.

6. In the Custom deployment page, select Build your own template in the editor.

7. In the Edit template page, specify the existing NSG where you want to duplicate the rules to through its name and location. Within the "properties" -> "securityRules" of the NSG, paste the copied security rule object or objects.

8. Select Save. Select the desired subscription, resource group, and region, then select Review + create.

---

View all security rules

An NSG can contain multiple security rules. To learn more about the list of information when you view the rules, see Security rules.

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG for which you want to view the rules.

3. Select Inbound security rules or Outbound security rules.

   The list contains any rules that you created and the default security rules of your NSG.

   :::image type="content" source="./media/manage-network-security-group/view-security-rules.png" alt-text="Screenshot of inbound security rules of a network security group in the Azure portal.":::

PowerShell

Use Get-AzNetworkSecurityRuleConfig to view the security rules of an NSG.

# Define parameters for the NSG
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}

# Retrieve the NSG
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# List security rules of the NSG in a table
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup | Format-Table Name, Protocol, Access, Priority, Direction, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix

Azure CLI

Use az network nsg rule list to view the security rules of an NSG.

az network nsg rule list \
    --resource-group myResourceGroup \
    --nsg-name myNSG

---

View the details of a security rule

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG for which you want to view the rules.

3. Select Inbound security rules or Outbound security rules.

4. Select the rule for which you want to view details. For an explanation of all settings, see Security rule settings.

   [!NOTE] This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

   :::image type="content" source="./media/manage-network-security-group/view-security-rule-details.png" alt-text="Screenshot of the details of an inbound security rule of a network security group in the Azure portal.":::

PowerShell

Use Get-AzNetworkSecurityRuleConfig to view the details of a security rule.

# Define parameters for the NSG and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name = "RDP-rule"
}

# Retrieve the NSG
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# View details of the security rule
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

Note

This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

Azure CLI

Use az network nsg rule show to view the details of a security rule.

az network nsg rule show \
    --resource-group myResourceGroup \
    --nsg-name myNSG \
    --name RDP-rule

Note

This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

---

Change a security rule

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG for which you want to view the rules.

3. Select Inbound security rules or Outbound security rules.

4. Select the rule that you want to change.

5. Change the rule's settings as needed, then select Save. For an explanation of all settings, see Security rule settings.

   :::image type="content" source="./media/manage-network-security-group/change-security-rule.png" alt-text="Screenshot of changing the inbound security rule details of a network security group in the Azure portal.":::

   [!NOTE] This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

PowerShell

Use Set-AzNetworkSecurityRuleConfig to update an NSG rule.

# Define parameters for the NSG and security rule
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name                 = "RDP-rule"
    Description          = "Allow RDP"
    Access               = "Allow"
    Protocol             = "Tcp"
    Direction            = "Inbound"
    Priority             = 200
    SourceAddressPrefix  = "*"
    SourcePortRange      = "*"
    DestinationAddressPrefix = "*"
    DestinationPortRange = 3389
}

# Retrieve the NSG
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Update the security rule in the NSG
Set-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the NSG
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Note

This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

Azure CLI

Use az network nsg rule update to update an NSG rule.

az network nsg rule update \
    --resource-group myResourceGroup \
    --nsg-name myNSG \
    --name RDP-rule \
    --priority 200

Note

This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

---

Delete a security rule

Portal

1. In the search box at the top of the portal, enter Network security group. Then select Network security groups in the search results.

2. Select the name of the NSG for which you want to view the rules.

3. Select Inbound security rules or Outbound security rules.

4. Select the rule that you want to delete. You can select more than one rule to delete at a time.

5. Select Delete, then select Yes.

   :::image type="content" source="./media/manage-network-security-group/delete-security-rule.png" alt-text="Screenshot of deleting an inbound security rule of a network security group in the Azure portal.":::

   [!NOTE] This procedure applies only to a custom security rule. You aren't allowed to delete a default security rule.

PowerShell

Use Remove-AzNetworkSecurityRuleConfig to delete a security rule from an NSG.

# Define parameters for the NSG and security rule. You may specify more than one rule to delete at a time
$NSGParams = @{
    Name              = "myNSG"
    ResourceGroupName = "myResourceGroup"
}
$RuleParams = @{
    Name = "RDP-rule"
}

# Retrieve the NSG
$networkSecurityGroup = Get-AzNetworkSecurityGroup @NSGParams

# Remove the security rule from the NSG
Remove-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $networkSecurityGroup @RuleParams

# Update the NSG
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $networkSecurityGroup

Note

This procedure applies only to a custom security rule. You aren't allowed to delete a default security rule.

Azure CLI

Use az network nsg rule delete to delete a security rule from an NSG.

az network nsg rule delete \
    --resource-group myResourceGroup \
    --nsg-name myNSG \
    --name RDP-rule

Note

This procedure applies only to a custom security rule. You aren't allowed to delete a default security rule.

---

Work with application security groups

An application security group contains zero or more network interfaces. To learn more, see Application security groups. All network interfaces in an application security group must exist in the same virtual network. To learn how to add a network interface to an application security group, see Add a network interface to an application security group.

Create an application security group

Portal

1. In the search box at the top of the portal, enter Application security group. Then select Application security groups in the search results.

2. Select + Create.

3. On the Create an application security group page, under the Basics tab, enter or select the following values:

   Setting	Action
   Project details
   Subscription	Select your Azure subscription.
   Resource group	Select an existing resource group, or create a new one by selecting Create new. This example uses the myResourceGroup resource group.
   Instance details
   Name	Enter a name for your new application security group. This example uses the name myASG.
   Region	Select the desired region where you want to create the application security group.

4. Select Review + create.

5. After you see the Validation passed message, select Create.

PowerShell

Use New-AzApplicationSecurityGroup to create an application security group.

# Define parameters for the new application security group
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
    Location          = "eastus"
}

# Create the application security group
New-AzApplicationSecurityGroup @ASGParams

Azure CLI

Use az network asg create to create an application security group.

az network asg create \
    --resource-group myResourceGroup \
    --name myASG \
    --location eastus

---

View all application security groups

Portal

In the search box at the top of the portal, enter Application security group. Then select Application security groups in the search results. A list of your application security groups appears in the Azure portal.

:::image type="content" source="./media/manage-network-security-group/view-application-security-groups.png" alt-text="Screenshot of existing application security groups in the Azure portal.":::

PowerShell

Use Get-AzApplicationSecurityGroup to list all the application security groups in your Azure subscription.

Get-AzApplicationSecurityGroup | format-table Name, ResourceGroupName, Location

Azure CLI

Use az network asg list to list all the application security groups in a resource group.

az network asg list \
    --resource-group myResourceGroup \
    --out table

---

View the details of a specific application security group

Portal

1. In the search box at the top of the portal, enter Application security group. Then select Application security groups in the search results.

2. Select the application security group for which you want to view the details.

PowerShell

Use Get-AzApplicationSecurityGroup to view the details of an application security group.

Get-AzApplicationSecurityGroup -Name myASG

Azure CLI

Use az network asg show to view the details of an application security group.

az network asg show \
    --resource-group myResourceGroup \
    --name myASG

---

Change an application security group

Portal

1. In the search box at the top of the portal, enter Application security group. Then select Application security groups in the search results.

2. Select the application security group that you want to change:

   • Select move next to Resource group or Subscription to change the resource group or subscription, respectively.

   • Select edit next to Tags to add or remove tags. To learn more, see Use tags to organize your Azure resources and management hierarchy.

     :::image type="content" source="./media/manage-network-security-group/change-application-security-group.png" alt-text="Screenshot of changing an application security group in the Azure portal.":::

     [!NOTE] You can't change the location of an application security group.

   • Navigate to the Access control (IAM) section to assign or remove permissions to the application security group.

PowerShell

# Define parameters for the application security group
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
}

# Retrieve the application security group
$applicationSecurityGroup = Get-AzApplicationSecurityGroup @ASGParams

New-AzTag -ResourceId $applicationSecurityGroup.Id -Tag @{ Dept = "Finance" }

Azure CLI

Use az network asg update to update the tags for an application security group.

az network asg update \
    --resource-group myResourceGroup \
    --name myASG \
    --tags Dept=Finance

Note

You can't change the resource group, subscription, or location of an application security group by using the Azure CLI.

---

Delete an application security group

You can't delete an application security group if it contains any network interfaces. To remove all network interfaces from the application security group, either change the network interface settings or delete the network interfaces. To learn more, see Add or remove from application security groups or Delete a network interface.

Portal

1. In the search box at the top of the portal, enter Application security group. Then select Application security groups in the search results.

2. Select the application security group that you want to delete.

3. Select Delete, and then select Yes to delete the application security group.

   :::image type="content" source="./media/manage-network-security-group/delete-application-security-group.png" alt-text="Screenshot of deleting an application security group in the Azure portal.":::

PowerShell

Use Remove-AzApplicationSecurityGroup to delete an application security group.

# Define parameters for the application security group to be removed
$ASGParams = @{
    ResourceGroupName = "myResourceGroup"
    Name              = "myASG"
}

# Remove the application security group
Remove-AzApplicationSecurityGroup @ASGParams

Azure CLI

Use az network asg delete to delete an application security group.

az network asg delete \
    --resource-group myResourceGroup \
    --name myASG

---

Permissions

To manage NSGs, security rules, and application security groups, your account must be assigned to the Network Contributor role. You can also use a custom role with the appropriate permissions assigned, as listed in the following tables.

Note

You might not see the full list of service tags if the Network Contributor role was assigned at a resource group level. To view the full list, you can assign this role at a subscription scope instead. If you can only allow the Network Contributor role for the resource group, you can also create a custom role for the permissions Microsoft.Network/locations/serviceTags/read and Microsoft.Network/locations/serviceTagDetails/read. Assign them at a subscription scope along with the Network Contributor role at the resource group scope.

Network security group

Action	Name
Microsoft.Network/networkSecurityGroups/read	Get an NSG.
Microsoft.Network/networkSecurityGroups/write	Create or update an NSG.
Microsoft.Network/networkSecurityGroups/delete	Delete an NSG.
Microsoft.Network/networkSecurityGroups/join/action	Associate an NSG to a subnet or network interface.

Note

To perform write operations on an NSG, the subscription account must have at least read permissions for the resource group along with Microsoft.Network/networkSecurityGroups/write permission.

Network security group rule

Action	Name
Microsoft.Network/networkSecurityGroups/securityRules/read	Get a rule.
Microsoft.Network/networkSecurityGroups/securityRules/write	Create or update a rule.
Microsoft.Network/networkSecurityGroups/securityRules/delete	Delete a rule.

Application security group

Action	Name
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action	Join an IP configuration to an application security group.
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action	Join a security rule to an application security group.
Microsoft.Network/applicationSecurityGroups/read	Get an application security group.
Microsoft.Network/applicationSecurityGroups/write	Create or update an application security group.
Microsoft.Network/applicationSecurityGroups/delete	Delete an application security group.

Related content

• Add or remove a network interface to or from an application security group.

• Create and assign Azure Policy definitions for virtual networks.