Open ports for connectivity in Azure VM using Azure CLI

To open the endpoint that you use to access the virtual machine remotely, create a Network Security Group rule with az network nsg rule create

2 min read

To open the endpoint that you use to access the virtual machine remotely, create a Network Security Group rule with az network nsg rule create as follows:



az network nsg rule create --name
                           --nsg-name
                           --priority
                           --resource-group
                           [--access {Allow, Deny}]
                           [--description]
                           [--destination-address-prefixes]
                           [--destination-asgs]
                           [--destination-port-ranges]
                           [--direction {Inbound, Outbound}]
                           [--protocol {*, Ah, Esp, Icmp, Tcp, Udp}]
                           [--source-address-prefixes]
                           [--source-asgs]
                           [--source-port-ranges]
                           [--subscription]
                           

Examples

Create a basic "Allow" NSG rule with the highest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 100

Create a "Deny" rule over TCP for a specific IP address range with the lowest priority.

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule --priority 4096 \
    --source-address-prefixes 208.130.28/24 --source-port-ranges 80 \
    --destination-address-prefixes '*' --destination-port-ranges 80 8080 --access Deny \
    --protocol Tcp --description "Deny from specific IP address ranges on 80 and 8080."

Create a security rule using service tags. For more details visit https://aka.ms/servicetags

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithTags \
    --priority 400 --source-address-prefixes VirtualNetwork --destination-address-prefixes Storage \
    --destination-port-ranges '*' --direction Outbound --access Allow --protocol Tcp --description "Allow VirtualNetwork to Storage."

Create a security rule using application security groups. https://aka.ms/applicationsecuritygroups

az network nsg rule create -g MyResourceGroup --nsg-name MyNsg -n MyNsgRuleWithAsg \
    --priority 500 --source-address-prefixes Internet --destination-port-ranges 80 8080 \
    --destination-asgs Web --access Allow --protocol Tcp --description "Allow Internet to Web ASG on ports 80,8080."


Required Parameters

--name -n

Name of the network security group rule.

--nsg-name

Name of the network security group.

--priority

Rule priority, between 100 (highest priority) and 4096 (lowest priority). Must be unique for each rule in the collection.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.



Optional Parameters

--access

accepted values: Allow, Deny  

default value: Allow

--description

Rule description.

--destination-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs. Besides, it also supports all available Service Tags like 'ApiManagement', 'SqlManagement', 'AzureMonitor', etc.

--destination-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--destination-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.default value: 80

--direction

accepted values: Inbound, Outbounddefault value: Inbound--protocol

Network protocol this rule applies to.accepted values: *, Ah, Esp, Icmp, Tcp, Udp

--source-address-prefixes

Space-separated list of CIDR prefixes or IP ranges. Alternatively, specify ONE of 'VirtualNetwork', 'AzureLoadBalancer', 'Internet' or '*' to match all IPs. Besides, it also supports all available Service Tags like 'ApiManagement', 'SqlManagement', 'AzureMonitor', etc.

--source-asgs

Space-separated list of application security group names or IDs. Limited by backend server, temporarily this argument only supports one application security group name or ID.

--source-port-ranges

Space-separated list of ports or port ranges between 0-65535. Use '*' to match all ports.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.



Featured Oracle

How to install Oracle database in Microsoft Azure VM

In this tutorial, we will learn how to set up an Oracle database on a remote server and access it by using our browser.

7 min read

Setup Oracle SQL Server on Microsoft Azure

In this tutorial, we will learn how to set up an Oracle database on a remote server and access it by using our browser.

7 min read