How to view effective rules in Azure NSG

Written by

Under the topic

Dated:

April 9, 2023

Table Of Content

To view the effective security rules in an Azure Network Security Group (NSG), you need to consider a few different methods, as effective rules can be impacted by the scope of the NSG (e.g., applied to a Virtual Machine's Network Interface Card (NIC) or a subnet).

Here's how you can view the effective rules using various tools in Azure:

Azure Portal (Effective Security Rules for NIC or Subnet)

You can use the Azure Portal to view the effective security rules for a Network Interface (NIC) or a subnet where the NSG is applied.

Steps

Go to the Azure Portal:
- Open .

Navigate to Network Watcher:
- In the left-hand search bar, type "Network Watcher" and select it.

Access "Effective Security Rules":
- Under Monitoring, click on Effective Security Rules.

Select Resource (VM, NIC, or Subnet):
- In the Effective Security Rules pane, select the Subscription, Resource Group, and the Resource Type (e.g., Network Interface or Subnet).
- For Network Interface: Select the specific NIC attached to the VM.
- For Subnet: Select the Subnet where the NSG is applied.

View Effective Rules:
- After selecting the resource, the portal will display the effective security rules applied to the selected NIC or subnet.
- These effective rules are a combination of the NSG rules and any other relevant factors (e.g., rules applied to the subnet or NIC).
- The output shows Allow or Deny for each rule, along with the source, destination, port, and protocol.

Azure CLI

You can also use the Azure CLI to view the effective security rules for a given Network Interface or Subnet.

For Network Interface (NIC)

To view the effective rules for a NIC:


xxxxxxxxxx
3
1
az network nic show-effective-security-rules \
2
--resource-group <resource-group-name> \
3
--nic-name <nic-name>

This command will display the list of effective security rules applied to the NIC, considering the attached NSGs.

For Subnet

If you want to view the effective rules for a subnet, first identify the NSG attached to the subnet:


xxxxxxxxxx
4
1
az network vnet subnet show \
2
--resource-group <resource-group-name> \
3
--vnet-name <vnet-name> \
4
--name <subnet-name>

Then, you can query the rules of that NSG:


xxxxxxxxxx
4
1
az network nsg rule list \
2
--resource-group <resource-group-name> \
3
--nsg-name <nsg-name> \
4
--output table

Azure PowerShell

Azure PowerShell also provides a way to get the effective rules for an NSG attached to a NIC or subnet.

For Network Interface (NIC)


xxxxxxxxxx
3
1
Get-AzNetworkInterface `
2
-ResourceGroupName <resource-group-name> `
3
-Name <nic-name> | Get-AzEffectiveNetworkSecurityRule

This command retrieves the effective network security rules for the NIC.

For Subnet

To view the NSG rules for a subnet, first check which NSG is associated with the subnet:


xxxxxxxxxx
4
1
Get-AzVirtualNetworkSubnetConfig `
2
-ResourceGroupName <resource-group-name> `
3
-VNetName <vnet-name> `
4
-Name <subnet-name>

Then, query the rules for the NSG:


xxxxxxxxxx
3
1
Get-AzNetworkSecurityGroup `
2
-ResourceGroupName <resource-group-name> `
3
-Name <nsg-name> | Get-AzNetworkSecurityRule

Network Security Group Settings in the Portal

View NSG Rules:
- Navigate to Network Security Groups in the Azure Portal.
- Select the NSG you are interested in.
- Under Settings, review the Inbound security rules and Outbound security rules.
- This view shows the explicit rules configured for that NSG but does not show effective rules based on where the NSG is applied (i.e., it doesn't account for the NIC or subnet).

Review "Effective Rules" in the NSG:
- In the NSG pane, there is an Effective security rules option. Clicking this will show you the rules that are actively applied based on the NSG's attachment to a VM's NIC, subnet, or other resources.

Network Security Group Flow Logs (Optional)

For a deeper level of analysis, you can enable Network Security Group Flow Logs to see traffic flows and determine which rules are being applied. Flow logs provide detailed information about allowed and denied traffic based on your NSG rules.

To enable and view flow logs, use Azure Network Watcher:
- Go to Network Watcher > NSG Flow Logs.
- Configure and enable flow logs for the NSG and then review the logs in Azure Storage or Log Analytics.

Summary

Effective Security Rules are determined based on where the NSG is applied (e.g., subnet or NIC), and also depend on other factors like the priority of rules and implicit Azure rules.
Rules are evaluated based on the priority (lower number = higher priority).
Implicit rules (like allowing traffic from Azure Load Balancers or denying all traffic) can affect the effective set of rules.

By following these methods, you can accurately determine the effective security rules for a Network Security Group in Azure.

Learn about System Routes in Azure

In Azure, system routes are the default routes automati…

How to create DNS zone and an A record by using…

Below is a step-by-step guide for creating a DNS zone a…

A detailed study about Private DNS zones in Azure

Private DNS Zones in Azure Private DNS Zones in Azure e…

Learning Gateway Transit and Connectivity in Az…

Azure VPN Gateway is a service that provides secure, cr…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.