Merge pull request #54040 from staleycyn/patch-1

JamesJBarnett · web-flow · commit ab6717641271 · 2026-03-30T19:34:11.000-07:00
Content-drift network security groups
diff --git a/learn-pr/wwl-azure/configure-network-security-groups/includes/3-determine-network-security-groups-rules.md b/learn-pr/wwl-azure/configure-network-security-groups/includes/3-determine-network-security-groups-rules.md
@@ -17,7 +17,7 @@ Let's review the characteristics of security rules in network security groups.
    | Source | Any, IP Addresses, My IP address, Service Tag, or Application security group |
    | Source port ranges | Specify the ports on which the rule allows or denies traffic |
    | Destination | Any, IP Addresses, Service Tag,  or Application security group |
-   | Protocol | Restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). The default is for the rule to apply to all protocols (Any). |
+   | Protocol | Restrict the rule to Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Encapsulating Security Payload (ESP), or Authentication Header (AH). ESP and AH protocols are only available via JSON templates and PowerShell. The default is for the rule to apply to all protocols (Any). |
    | Action | Allow or Deny |
    | Priority | A value between 100 and 4,096 that's unique for all security rules within the NSG |
 
diff --git a/learn-pr/wwl-azure/configure-network-security-groups/includes/4-determine-network-security-groups-effective-rules.md b/learn-pr/wwl-azure/configure-network-security-groups/includes/4-determine-network-security-groups-effective-rules.md
@@ -34,4 +34,4 @@ If you have several network security groups and aren't sure which security rules
 :::image type="content" source="../media/effective-security-rules-d93ab464.png" alt-text="Screenshot of the Networking page in the Azure portal showing the Effective security rules link highlighted.":::
 
 > [!NOTE]
-> [Network Watcher](/azure/network-watcher/effective-security-rules-overview) provides a consolidated view of your infrastructure rules.  
+> [Network Watcher](/azure/network-watcher/effective-security-rules-overview) provides a consolidated view of your infrastructure rules, including both NSG rules and Azure Virtual Network Manager security admin rules. The IP flow verify feature evaluates traffic against both NSG rules and any security admin rules that may be in effect.  
diff --git a/learn-pr/wwl-azure/configure-network-security-groups/includes/5-create-network-security-groups-rules.md b/learn-pr/wwl-azure/configure-network-security-groups/includes/5-create-network-security-groups-rules.md
@@ -18,6 +18,21 @@ Let's look at some of the properties you need to specify to create your security
 
    :::image type="content" source="../media/security-priority.png" alt-text="Screenshot that shows how to set the priority value for a security rule in the Azure portal.":::
 
+### When to use augmented security rules
+
+A single network security group rule can contain multiple values in the Source, Destination, and Service fields. This approach, called augmented security rules, reduces the total number of rules needed and simplifies NSG management. 
+
+**Things to know about augments security rules**
+
+- **Multiple IP addresses**: Combine multiple IP addresses into one rule.
+  
+- **Multiple port ranges**: Specify multiple ports and ranges in the Service field.
+  
+- **Service tags and ASGs**: Mix service tags, application security groups, and IP addresses within the same rule.
+  
+- **Reduced rule count**: Instead of creating separate rules for each IP range or port, combine them into fewer, more manageable rules.
+  
+In enterprise environments with many IP ranges or services, augmented rules prevent NSG rule sprawl. For example, instead of creating four separate rules for ports 80, 443, 8080, and 8090, create one rule with all the ports. 
 
 > [!TIP]
-> Expand your learning with the [Secure and isolate access to Azure resources by using network security groups and service endpoints](/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/) training module. This module includes a sandbox where you can practice. 
+> Expand your learning with the [Secure and isolate access to Azure resources by using network security groups and service endpoints](/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/) training module. This module includes a sandbox where you can practice. 
diff --git a/learn-pr/wwl-azure/configure-network-security-groups/includes/9-summary-resources.md b/learn-pr/wwl-azure/configure-network-security-groups/includes/9-summary-resources.md
@@ -23,7 +23,7 @@ Copilot can assist you in designing Azure infrastructure solutions. Copilot can
 
 ## Learn more with documentation
 
-- [Read about network security groups](/azure/virtual-network/security-overview). This article describes the properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify.
+- [Read about network security groups](/azure/virtual-network/network-security-groups-overview). This article describes the properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify.
 
 - [Filter network traffic with network security groups in the Azure portal](/azure/virtual-network/tutorial-filter-network-traffic). Learn how to create a network security group and an application security group. 
 
diff --git a/learn-pr/wwl-azure/configure-network-security-groups/index.yml b/learn-pr/wwl-azure/configure-network-security-groups/index.yml
@@ -5,7 +5,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Configure Network Security Groups
   description: "Learn how to implement network security groups, and ensure network security group rules are correctly applied."
-  ms.date: 02/20/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module
