Check Virtual Network Subnets for Network Security Groups

Risk Level: High (not acceptable risk)

Ensure that your Azure Virtual Network (VNet) subnets are configured with Network Security Groups (NSGs). NSGs provide an additional layer of protection for the Azure cloud resources deployed within a Virtual Network (VNet) by controlling inbound and outbound network traffic. Network Security Groups can prevent unauthorized traffic flows.

Security

Using Network Security Groups to control traffic to and from Virtual Network subnets is important for the following reasons:

Traffic Filtering: NSGs act as a virtual firewall, enabling you to filter both inbound and outbound traffic based on defined security rules. This reduces the attack surface by restricting access to only trusted sources or destinations.
Isolation and Segmentation: NSGs allow you to isolate and segment your Azure resources from other resources in the network, ensuring that only authorized traffic can communicate with them. This improves the overall security posture of your Azure cloud environment.
Compliance and Security Policies: By using NSGs, you can enforce organizational security policies, ensuring that your applications meet regulatory or compliance requirements by controlling the flow of data and limiting unauthorized access.
Mitigating Threats: Controlling traffic with NSGs helps prevent common network-based attacks such as Distributed Denial-of-Service (DDoS), port scanning, or unauthorized access attempts, enhancing the app's resilience against external threats.

Overall, Network Security Groups (NSGs) provide robust protection for your subnet resources by effectively shielding them from unauthorized access and malicious attacks.

Audit

To determine if your Virtual Network (VNet) subnets are configured with Network Security Groups (NSGs), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Virtual network for Value, and select Apply to list only the Azure Virtual Networks available in the selected subscription.

05 Click on the name (link) of the Virtual Network (VNet) that you want to examine.

06 In the resource navigation panel, under Settings, select Subnets to access the subnets associated with the selected VNet.

07 Click on the name (link) of the Virtual Network subnet that you want to examine.

08 In the Security section, check the Network security group setting to identify the name of the Network Security Group configured for the selected subnet. If Network security group is set to None, the selected Virtual Network (VNet) subnet is not configured to use Network Security Groups (NSGs).

09 Repeat steps no. 7 and 8 for each subnet deployed to the selected Azure Virtual Network.

10 Repeat steps no. 5 – 9 for each Virtual Network created in the selected Azure subscription.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network vnet list command (Windows/macOS/Linux) with custom query filters to list the names of all Virtual Networks (and the name of their associated resource groups), available in the selected Azure subscription:

az network vnet list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested VNet identifiers:

Name              ResourceGroup
----------------  ------------------------------
cc-project9-vnet  cloud-shell-storage-westeurope
cc-frontend-vnet  cloud-shell-storage-westeurope

06 Run network vnet show command (Windows/macOS/Linux) with the name of the Azure Virtual Network (VNet) that you want to examine and its associated resource group as the identifier parameters, to describe the names of the subnets associated with the selected VNet:

az network vnet show
	--name cc-project9-vnet
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query 'subnets[].name'

07 The command output should return a table with requested subnet identifiers:

Result
---------------------------
cc-project9-vnet-subnet-001
cc-project9-vnet-subnet-002

08 Run resource show command (Windows/macOS/Linux) to describe the ID of the Network Security Group (NSG) configured for the selected VNet subnet:

az resource show
	--name "cc-project9-vnet-subnet-001"
	--resource-group "cloud-shell-storage-westeurope"
	--namespace "Microsoft.Network"
	--parent "virtualnetworks/cc-project9-vnet"
	--resource-type "subnets"
	--query '{"NetworkSecurityGroupId":properties.networkSecurityGroup.id}'

09 The command output should return the requested NSG identifier:

{
	"NetworkSecurityGroupId": null
}

If the resource show command output returns null for the "NetworkSecurityGroupId" attribute, as shown in the example above, the selected Virtual Network (VNet) subnet is not configured to use Network Security Groups (NSGs).

10 Repeat steps no. 8 and 9 for each subnet deployed to the selected Azure Virtual Network.

11 Repeat steps no. 6 – 10 for each Virtual Network created within the selected Azure subscription.

Remediation / Resolution

The risk of unauthorized access increases when VNet subnets are unprotected. To configure Network Security Groups (NSGs) for your Azure Virtual Networks (VNets), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Network security groups blade available at https://portal.azure.com/#view/HubsExtension/AssetMenuBlade/~/NSGs/assetName/NetworkFoundation/extensionName/Microsoft_Azure_Network.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new Network Security Group (NSG) for your VNet subnet:

For Basics, provide the following information:
1. For Subscription, choose your Azure subscription.
2. For Resource group, select the correct resource group.
3. Provide a unique name for the Network Security Group in the Name box.
4. For Region, select the Azure cloud region where the NSG instance will be deployed.
5. Choose Next : Tags > to continue the setup.
For Tags, use the Name and Value fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the NSG setup.
For Review + create, review the resource configuration details, then choose Create to create your new Network Security Group (NSG).

05 Once your new Network Security Group (NSG) is available, select Go to resource to access your new NSG resource.

06 In the left navigation panel, under Settings, choose Inbound security rules, select Add, and perform the following actions to create a new inbound rule:

For Source choose IP Addresses to allow inbound traffic from specified IP addresses only.
For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses, or IP address ranges that will be allowed to access the resource associated with the selected Network Security Group. You can also provide a comma-separated list of IP addresses or address ranges.
For Destination port ranges, provide a single port, such as 22 (SSH), or a comma-separated list of single ports. This specifies on which port(s) the inbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g., TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the inbound rule in the Name box.
Choose Add to create your new NSG inbound rule.

07 In the navigation panel, under Settings, choose Outbound security rules, select Add, and perform the following operations to create a new outbound rule:

For Destination choose IP Addresses to allow outbound traffic to specified IP addresses only.
For Destination IP addresses/CIDR ranges, provide the IP address, IP addresses, or IP address ranges for the outgoing traffic, allowed by this rule.
For Destination port ranges, provide a single port, such as 443, or a comma-separated list of single ports. This specifies on which port(s) the outbound traffic will be allowed by the selected NSG rule.
For Protocol, select the appropriate network protocol (e.g., TCP).
Make sure that Action is set to Allow.
For Priority choose the rule priority. NSG rules are processed in priority order; the lower the number, the higher the priority. You can leave gaps between rules, such as 100, 200, 300, etc., to add new rules without having to edit existing rules.
Provide a unique name for the outbound rule in the Name box.
Choose Add to create your new NSG outbound rule.

08 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

09 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

10 From the Type equals all filter box, choose Type for Filter, select Equals for Operator, choose Virtual network for Value, and select Apply to list only the Azure Virtual Networks available in the selected subscription.

11 Click on the name (link) of the Virtual Network (VNet) that you want to configure.

12 In the resource navigation panel, under Settings, select Subnets to access the subnets associated with the selected VNet.

13 Click on the name (link) of the Virtual Network subnet that you want to configure.

14 In the Security section, select the name of your new Network Security Group (NSG) from the Network security group dropdown list, and choose Save to apply the configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nsg create command (Windows/macOS/Linux) to create a new Network Security Group (NSG) for your Virtual Network (VNet) subnet:

az network nsg create
	--name cc-project9-secure-nsg
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--query 'NewNSG.provisioningState'

05 The command output should return the NSG provisioning status:

"Succeeded"

06 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow inbound traffic from known, trusted IP addresses, on specific ports:

az network nsg rule create
	--name AllowSSHInboundAccess
	--nsg-name cc-project9-secure-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Inbound
	--access Allow
	--protocol Tcp
	--priority 100
	--source-address-prefixes 10.20.30.40/32
	--source-port-ranges "*"
	--destination-address-prefixes "*"
	--destination-port-ranges 22
	--description "Allow controlled inbound traffic on TCP port 22 (SSH)"

07 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow controlled inbound traffic on TCP port 22 (SSH)",
	"destinationAddressPrefix": "*",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "22",
	"destinationPortRanges": [],
	"direction": "Inbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-databricks-workspace-nsg1/securityRules/AllowSSHInboundAccess",
	"name": "AllowSSHInboundAccess",
	"priority": 100,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "10.20.30.40/32",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

08 Run network nsg rule create command (Windows/macOS/Linux) with the name of the Network Security Group (NSG) that you want to configure as the identifier parameter, to allow outbound traffic to known, trusted IP addresses, on specific ports:

az network nsg rule create
	--name AllowHttpsOutboundAccess
	--nsg-name cc-project9-secure-nsg
	--resource-group cloud-shell-storage-westeurope
	--direction Outbound
	--access Allow
	--protocol Tcp
	--priority 200
	--source-address-prefixes '*'
	--source-port-ranges '*'
	--destination-port-ranges 443
	--destination-address-prefixes 10.20.30.40/32
	--description "Allow controlled outbound traffic on TCP port 443 (HTTPS)"

09 The command output should return the information available for the new NSG rule:

{
	"access": "Allow",
	"description": "Allow controlled outbound traffic on TCP port 443 (HTTPS)",
	"destinationAddressPrefix": "xxx.xxx.xxx.xxx/32",
	"destinationAddressPrefixes": [],
	"destinationPortRange": "443",
	"destinationPortRanges": [],
	"direction": "Outbound",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-project9-secure-nsg/securityRules/AllowHttpsOutboundAccess",
	"name": "AllowHttpsOutboundAccess",
	"priority": 200,
	"protocol": "Tcp",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "*",
	"sourceAddressPrefixes": [],
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

10 Run network vnet subnet update command (Windows/macOS/Linux) to associate the Network Security Group (NSG) created earlier in the Remediation process with your Azure Virtual Network (VNet) subnet:

az network vnet subnet update
	--name cc-project9-vnet-subnet-001
	--vnet-name cc-project9-vnet
	--resource-group cloud-shell-storage-westeurope
	--network-security-group cc-project9-secure-nsg

11 The command output should return the information available for configured VNet subnet:

{
	"addressPrefix": "10.0.2.0/24",
	"delegations": [
		{
			"actions": [
				"Microsoft.Network/virtualNetworks/subnets/action"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001/delegations/delegation",
			"name": "delegation",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"serviceName": "Microsoft.Web/serverfarms",
			"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
		}
	],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001",
	"name": "cc-project9-vnet-subnet-001",
	"networkSecurityGroup": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-project9-secure-nsg",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"serviceAssociationLinks": [
		{
			"allowDelete": false,
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project9-vnet/subnets/cc-project9-vnet-subnet-001/serviceAssociationLinks/AppServiceLink",
			"linkedResourceType": "Microsoft.Web/serverfarms",
			"locations": [],
			"name": "AppServiceLink",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks"
		}
	],
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

References

Azure Official Documentation
Azure best practices for network security
Azure network security groups overview
Create, change, or delete a network security group

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az network vnet list
az network vnet show
az resource show
az network nsg create
az network nsg rule create
az network vnet subnet update

Publication date Nov 10, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related Network rules