Configure NSG¶
Network Security Groups provide distributed filtering for subnets and interfaces.
| Property | Example Value | Description |
|---|---|---|
| Priority | 100 | Custom NSG rule priorities range from 100 to 4096. Azure default rules use priorities 65000, 65001, and 65500. |
| Source | VirtualNetwork | IP range, Service Tag, or ASG. |
| Destination | Any | Target IP range or tag. |
| Port | 443 | Destination port or range. |
| Protocol | TCP | TCP, UDP, ICMP, or Any. |
| Action | Allow | Allow or Deny the traffic. |
| Default Rule | Priority | Action | Description |
|---|---|---|---|
| AllowVnetInBound | 65000 | Allow | Inbound VNet-to-VNet. |
| AllowAzureLoadBalancerInBound | 65001 | Allow | Health probe traffic. |
| DenyAllInBound | 65500 | Deny | Standard "Deny All" rule. |
mermaid graph TD Rule[New Packet] --> P100[Rule 100 Match?] P100 -- Yes --> Action[Execute Action] P100 -- No --> P200[Rule 200 Match?] P200 -- Yes --> Action P200 -- No --> Default[Next Rule / Default]
Warning
Rule priority ordering matters. A "Deny" rule with higher priority (lower number) will block traffic even if an "Allow" rule exists at priority 200.