Version: Next

Task 03: Configure Network Security Groups

DOCUMENT CATEGORY: Runbook SCOPE: NSG configuration PURPOSE: Configure micro-segmentation for Azure Local VMs MASTER REFERENCE: Microsoft Learn - SDN Overview

Status: Active

Overview

With SDN enabled by Azure Arc, you can create and apply Network Security Groups (NSGs) to:

Logical Networks - Apply rules to all VMs on a network
VM NICs - Apply rules to specific VM network interfaces

Scope Limitation

NSGs only apply to Azure Local VMs deployed from Azure interfaces (Azure Portal, Azure CLI, ARM Templates).

NSGs do NOT apply to:

Hyper-V VMs deployed locally
VMs managed by SCVMM
AKS workloads

NSG Concepts

Rule Components

Component	Description
Priority	100-4096 (lower = higher priority)
Direction	Inbound or Outbound
Source	IP address, CIDR, Service Tag, or *
Destination	IP address, CIDR, Service Tag, or *
Protocol	TCP, UDP, ICMP, or *
Port	Single port, range, or *
Action	Allow or Deny

Default Rules

NSGs include implicit default rules:

AllowVnetInBound (Priority 65000) - Allow intra-VNet traffic
AllowAzureLoadBalancerInBound (Priority 65001) - Allow health probes
DenyAllInBound (Priority 65500) - Deny all other inbound
AllowVnetOutBound (Priority 65000) - Allow outbound to VNet
AllowInternetOutBound (Priority 65001) - Allow outbound to Internet
DenyAllOutBound (Priority 65500) - Deny all other outbound

Variables from variables.yml

Variable	Config Path	Example
`AZURE_SUBSCRIPTION_ID`	`azure.subscription.id`	`00000000-0000-0000-0000-000000000000`
`AZURE_RESOURCE_GROUP`	`azure.resource_group.name`	`rg-azurelocal-prod-eus2`
`AZURE_REGION`	`azure.resource_group.location`	`eastus2`

Execution Options

Azure Portal
Direct Script (On Node)
Standalone Script

Create a Network Security Group

Navigate to Azure Portal → Network Security Groups
Click + Create
Configure:

Subscription: Select your subscription
Resource Group: Select the cluster's resource group
Name: e.g., nsg-azl-prod-web
Region: Select the cluster's region

Click Review + Create → Create

Add Security Rules

Open the NSG resource
Go to Settings → Inbound security rules
Click + Add
Configure the rule:

Source: IP Addresses, CIDR, or Service Tag
Source port ranges: * (or specific)
Destination: IP Addresses, CIDR, or Service Tag
Destination port ranges: e.g., 443
Protocol: TCP
Action: Allow
Priority: 100-4096
Name: e.g., Allow-HTTPS-Inbound

Click Add

Associate NSG with Logical Network

Navigate to Azure Arc → Azure Local → your cluster
Go to Networking → Logical Networks
Select the target logical network
Under Settings, select Network Security Group
Choose the NSG to associate
Click Save

Associate NSG with VM NIC

Navigate to Azure Arc → Azure Local → Virtual Machines
Select the target VM
Go to Networking
Select the target NIC
Click Network Security Group
Choose the NSG to associate
Click Save

Azure-Based Management

NSG creation and management is performed via Azure APIs, not locally on the node. Use Azure CLI or ARM templates from any machine with Azure connectivity.

Configure-NSG-AzureCLI.ps1 (Run from any machine with Azure CLI)
# Requires: Azure CLI installed and logged in (az login)

<#
.SYNOPSIS
 Creates and configures Network Security Groups for Azure Local VMs.
.DESCRIPTION
 This script uses Azure CLI to create NSGs and associate them with
 Azure Local logical networks or VM NICs.
#>

param(
 [Parameter(Mandatory = $true)]
 [string]$ResourceGroupName,
 
 [Parameter(Mandatory = $true)]
 [string]$Location,
 
 [Parameter(Mandatory = $true)]
 [string]$NsgName,
 
 [Parameter(Mandatory = $false)]
 [string]$SubscriptionId
)

$ErrorActionPreference = 'Stop'

# Set subscription if provided
if ($SubscriptionId) {
 az account set --subscription $SubscriptionId
}

Write-Host "Creating Network Security Group: $NsgName" -ForegroundColor Cyan

# Create NSG
az network nsg create `
 --resource-group $ResourceGroupName `
 --name $NsgName `
 --location $Location

Write-Host "NSG created successfully" -ForegroundColor Green

# Add common security rules
Write-Host "`nAdding security rules..." -ForegroundColor Yellow

# Allow HTTPS inbound
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Allow-HTTPS-Inbound" `
 --priority 100 `
 --direction Inbound `
 --access Allow `
 --protocol Tcp `
 --source-address-prefixes "*" `
 --source-port-ranges "*" `
 --destination-address-prefixes "*" `
 --destination-port-ranges 443

Write-Host " ✓ Allow-HTTPS-Inbound (priority 100)" -ForegroundColor Green

# Allow RDP from management subnet only
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Allow-RDP-Management" `
 --priority 110 `
 --direction Inbound `
 --access Allow `
 --protocol Tcp `
 --source-address-prefixes "10.0.0.0/24" `
 --source-port-ranges "*" `
 --destination-address-prefixes "*" `
 --destination-port-ranges 3389

Write-Host " ✓ Allow-RDP-Management (priority 110)" -ForegroundColor Green

# Deny all other inbound (explicit rule)
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Deny-All-Inbound-Custom" `
 --priority 4000 `
 --direction Inbound `
 --access Deny `
 --protocol "*" `
 --source-address-prefixes "*" `
 --source-port-ranges "*" `
 --destination-address-prefixes "*" `
 --destination-port-ranges "*"

Write-Host " ✓ Deny-All-Inbound-Custom (priority 4000)" -ForegroundColor Green

Write-Host "`nNSG configuration complete" -ForegroundColor Cyan
Write-Host "Next: Associate NSG with logical network or VM NIC via Azure Portal" -ForegroundColor Yellow

Copy-paste ready NSG creation script — no config file, no helpers, no dependencies.

Configure-NSG-Standalone.ps1
# ============================================================================
# Script: Configure-NSG-Standalone.ps1
# Execution: Run anywhere with Azure CLI installed — fully self-contained
# Prerequisites: Azure CLI (az login), contributor access to resource group
# ============================================================================

#region CONFIGURATION
# ── Edit these values to match your environment ──────────────────────────────
$ResourceGroupName = "rg-azurelocal-prod" # Target resource group
$Location = "eastus2" # Azure region
$NsgName = "nsg-azl-prod-web" # NSG name
$ManagementSubnet = "10.0.0.0/24" # Management subnet for RDP access
#endregion CONFIGURATION

Write-Host "Creating Network Security Group: $NsgName" -ForegroundColor Cyan

# Create NSG
az network nsg create `
 --resource-group $ResourceGroupName `
 --name $NsgName `
 --location $Location

Write-Host " ✓ NSG created" -ForegroundColor Green

# Allow HTTPS inbound
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Allow-HTTPS-Inbound" `
 --priority 100 `
 --direction Inbound --access Allow --protocol Tcp `
 --source-address-prefixes "*" --source-port-ranges "*" `
 --destination-address-prefixes "*" --destination-port-ranges 443

Write-Host " ✓ Allow-HTTPS-Inbound (priority 100)" -ForegroundColor Green

# Allow RDP from management subnet only
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Allow-RDP-Management" `
 --priority 110 `
 --direction Inbound --access Allow --protocol Tcp `
 --source-address-prefixes $ManagementSubnet --source-port-ranges "*" `
 --destination-address-prefixes "*" --destination-port-ranges 3389

Write-Host " ✓ Allow-RDP-Management (priority 110)" -ForegroundColor Green

# Deny all other inbound
az network nsg rule create `
 --resource-group $ResourceGroupName `
 --nsg-name $NsgName `
 --name "Deny-All-Inbound-Custom" `
 --priority 4000 `
 --direction Inbound --access Deny --protocol "*" `
 --source-address-prefixes "*" --source-port-ranges "*" `
 --destination-address-prefixes "*" --destination-port-ranges "*"

Write-Host " ✓ Deny-All-Inbound-Custom (priority 4000)" -ForegroundColor Green
Write-Host "`n✅ NSG '$NsgName' configured. Associate with logical network or VM NIC via Azure Portal." -ForegroundColor Cyan

No External Dependencies

This script is completely self-contained. Edit the values in the #region CONFIGURATION block and run. No variables.yml, no config-loader, no helpers required.

Common NSG Patterns

Web Server NSG

Rule	Direction	Port	Source	Action
Allow-HTTPS	Inbound	443	*	Allow
Allow-HTTP	Inbound	80	*	Allow
Allow-RDP-Mgmt	Inbound	3389	Management CIDR	Allow
Deny-All	Inbound	*	*	Deny

Database Server NSG

Rule	Direction	Port	Source	Action
Allow-SQL	Inbound	1433	App Server CIDR	Allow
Allow-RDP-Mgmt	Inbound	3389	Management CIDR	Allow
Deny-All	Inbound	*	*	Deny

Application Server NSG

Rule	Direction	Port	Source	Action
Allow-App-Port	Inbound	8080	Web Server CIDR	Allow
Allow-RDP-Mgmt	Inbound	3389	Management CIDR	Allow
Deny-All	Inbound	*	*	Deny

NIC Configuration Note

Multiple NICs on Azure Local VMs

If you provision multiple static NICs on an Azure Local VM, all NICs receive the default gateway by default.

Resolution: Remove the default gateway from secondary NICs to prevent:

Asymmetric networking
Packet loss
Unpredictable network behavior

# Inside the VM - remove default gateway from secondary NIC
Remove-NetRoute -InterfaceAlias "Ethernet 2" -DestinationPrefix "0.0.0.0/0" -Confirm:$false

Verification

List NSG Rules

# Azure CLI
az network nsg rule list --resource-group rg-azurelocal-prod --nsg-name nsg-azl-prod-web -o table

Verify NSG Association

Navigate to Azure Portal → Azure Arc → Azure Local
Check Logical Networks for NSG association
Check Virtual Machines → Networking for NIC NSG association

Test Connectivity

# From a test VM, verify rules are working
Test-NetConnection -ComputerName <target-vm-ip> -Port 443
Test-NetConnection -ComputerName <target-vm-ip> -Port 3389

Troubleshooting

Issue	Resolution
NSG not applying	Verify VM was deployed from Azure interfaces
Rules not blocking	Check rule priority (lower = processed first)
Connectivity lost	Verify management access rules exist
NSG not visible	Ensure SDN is enabled on the cluster

Previous	Up	Next
← Task 02: Enable SDN Integration	Phase 01: SDN Deployment	Phase 02: Monitoring & Observability →

Version	Date	Author	Changes
1.0.0	2026-03-24	Azure Local Cloudnology Team	Initial release

Overview​

NSG Concepts​

Rule Components​

Default Rules​

Variables from variables.yml​

Execution Options​

Create a Network Security Group​

Add Security Rules​

Associate NSG with Logical Network​

Associate NSG with VM NIC​

Common NSG Patterns​

Web Server NSG​

Database Server NSG​

Application Server NSG​

NIC Configuration Note​

Verification​

List NSG Rules​

Verify NSG Association​

Test Connectivity​

Troubleshooting​

Related Documentation​

Navigation​