Merge pull request #312211 from asudbring/tsk555754-sfi-bastion

prmerger-automator[bot] · web-flow · commit eb1c882c3f1e · 2026-02-25T03:02:20.000Z
Add NSG creation to virtual-networks-static-private-ip
diff --git a/articles/virtual-network/ip-services/virtual-networks-static-private-ip.md b/articles/virtual-network/ip-services/virtual-networks-static-private-ip.md
@@ -1,7 +1,7 @@
 ---
 title: Create a VM with a static private IP address using the Azure portal, Azure PowerShell, or Azure CLI
 description: Learn to create a virtual machine with a static private IP address using the Azure portal, Azure PowerShell, or Azure CLI.
-ms.date: 02/19/2026
+ms.date: 02/24/2026
 ms.author: mbender
 author: mbender-ms
 ms.service: azure-virtual-network
@@ -90,6 +90,9 @@ When you create a virtual machine (VM), it's automatically assigned a private IP
 
 1. Select **Review + create**. Review the settings, and then select **Create**.
 
+> [!NOTE]
+> The virtual machine is created without a public IP address and with no public inbound ports. To connect to the virtual machine, use Azure Bastion. For more information, see [Quickstart: Deploy Azure Bastion with default settings](../../bastion/quickstart-host-portal.md).
+
 # [Azure PowerShell](#tab/azurepowershell)
 
 Use the following steps to create a resource group, virtual network, and virtual machine.
@@ -130,6 +133,23 @@ $vnet = @{
 New-AzVirtualNetwork @vnet
 ```
 
+### Create a network security group
+
+Create a network security group with [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup). The default rules in the network security group deny all inbound access from the internet.
+
+```azurepowershell-interactive
+## Create network security group. ##
+$nsg = @{
+    Name = 'myNSG'
+    ResourceGroupName = 'myResourceGroup'
+    Location = 'eastus2'
+}
+New-AzNetworkSecurityGroup @nsg
+```
+
+> [!NOTE]
+> The default rules of the network security group block all inbound access from the internet, including SSH. To connect to the virtual machine, use Azure Bastion. For more information, see [Quickstart: Deploy Azure Bastion with default settings](../../bastion/quickstart-host-portal.md).
+
 ### Create a virtual machine
 
 Create a credential object for the virtual machine with [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential). Enter a username and password when prompted:
@@ -185,6 +205,19 @@ az network vnet create \
     --subnet-prefixes 10.0.0.0/24
 ```
 
+### Create a network security group
+
+Create a network security group with [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create). The default rules in the network security group deny all inbound access from the internet.
+
+```azurecli-interactive
+az network nsg create \
+    --resource-group myResourceGroup \
+    --name myNSG
+```
+
+> [!NOTE]
+> The default rules of the network security group block all inbound access from the internet, including SSH. To connect to the virtual machine, use Azure Bastion. For more information, see [Quickstart: Deploy Azure Bastion with default settings](../../bastion/quickstart-host-portal.md).
+
 ### Create a virtual machine
 
 The following command creates a Linux virtual machine without a public IP address with [az vm create](/cli/azure/vm#az-vm-create). The `--generate-ssh-keys` parameter generates an SSH key pair for the VM:
