Document Details
Diagnose Network Security Rules
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
missing_linux_example
Summary:
The documentation exhibits a 'windows_first' bias by exclusively using Windows Server images and Windows-centric terminology in all virtual machine creation steps, both in the Azure Portal and command-line examples. There are no examples or instructions for deploying or managing Linux-based virtual machines, nor is there any mention of Linux-specific considerations or differences. This may lead Linux users to feel unsupported or uncertain about following the guide for their scenarios.
Recommendations:
- Add parallel Linux examples for all VM creation steps, both in the Portal and CLI/PowerShell sections (e.g., show how to select Ubuntu or another popular Linux image).
- In the Portal instructions, include a step or note showing how to select a Linux image and set up SSH authentication.
- In PowerShell and Azure CLI examples, provide Linux image references (e.g., 'Canonical:UbuntuServer:20_04-lts:latest') and show how to configure Linux-specific parameters such as SSH keys.
- Where administrator credentials are discussed, mention SSH keys for Linux and provide guidance for secure setup.
- Add a note clarifying that the NSG diagnostics and other procedures are applicable to both Windows and Linux VMs, and highlight any OS-specific considerations if relevant.
- Ensure screenshots and example outputs are not exclusively Windows-centric, or provide Linux equivalents where possible.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-09-16 00:00 | #113 | completed | ✅ Clean |
| 2025-09-15 00:00 | #112 | completed | ✅ Clean |
| 2025-09-14 00:00 | #111 | completed | ✅ Clean |
| 2025-09-13 00:00 | #110 | completed | ✅ Clean |
| 2025-09-12 00:00 | #109 | completed | ✅ Clean |
| 2025-09-11 00:00 | #108 | completed | ✅ Clean |
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ✅ Clean |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
1. Create the Bastion host using [New-AzBastion](/powershell/module/az.network/new-azbastion).
1. Create a virtual machine using [New-AzVM](/powershell/module/az.compute/new-azvm). When prompted, enter a username and password.
The result shows that there are three security rules assessed for the inbound connection from the Bastion subnet:
- **GlobalRules**: this security admin rule is applied at the virtual network level using Azure Virtual Network Manage. The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- **mySubnet-nsg**: this network security group is applied at the subnet level (subnet of the virtual machine). The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- **myVM-nsg**: this network security group is applied at the network interface (NIC) level. The rule denies inbound TCP traffic from the Bastion subnet to the virtual machine.
In **myVM-nsg** network security group, the security rule **DenyVnetInBound** denies any traffic coming from the address space of **VirtualNetwork** service tag to the virtual machine. The Bastion host uses IP addresses from **10.0.1.0/26**, which are included **VirtualNetwork** service tag, to connect to the virtual machine. Therefore, the connection from the Bastion host is denied by the **DenyVnetInBound** security rule.
---
## Add a security rule to allow traffic from the Bastion subnet
To connect to **myVM** using Azure Bastion, traffic from the Bastion subnet must be allowed by the network security group. To allow traffic from **10.0.1.0/26**, add a security rule with a higher priority (lower priority number) than **DenyVnetInBound** rule or edit the **DenyVnetInBound** rule to allow traffic from the Bastion subnet.
# [**Portal**](#tab/portal)
You can add the security rule to the network security group from the Network Watcher page that showed you the details about the security rule denying the traffic to the virtual machine.
1. To add the security rule from within Network Watcher, select **+ Add security rule**, and then enter or select the following values:
| Setting | Value |
| --- | --- |
| Source | Select **IP Addresses**. |
| Source IP addresses/CIDR ranges | Enter ***10.0.1.0/26***, which is the IP address range of the Bastion subnet. |
| Source port ranges | Enter *. |
| Destination | Select **Any**. |
| Service | Select **Custom**. |
| Destination port ranges | Enter *. |
| Protocol | Select **Any**. |
| Action | Select **Allow**. |
| Priority | Enter ***900***, which is higher priority than **1000** used for **DenyVnetInBound** rule. |
| Name | Enter ***AllowBastionConnections***. |
:::image type="content" source="./media/diagnose-network-security-rules/nsg-diagnostics-add-security-rule.png" alt-text="Screenshot showing how to add a new security rule to the network security group to allow the traffic to the virtual machine from the Bastion subnet." lightbox="./media/diagnose-network-security-rules/nsg-diagnostics-add-security-rule.png":::
1. Select **Recheck** to run the diagnostic session again. The diagnostic session should now show that the traffic from the Bastion subnet is allowed.
:::image type="content" source="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-allowed-details.png" alt-text="Screenshot showing the details of the network security group after adding a security rule that allows the traffic to the virtual machine from the Bastion subnet." lightbox="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-allowed-details.png":::
The security rule **AllowBastionConnections** allows the traffic from any IP address in **10.0.1.0/26** to the virtual machine. Because the Bastion host uses IP addresses from **10.0.1.0/26**, its connection to the virtual machine is allowed by the **AllowBastionConnections** security rule.
# [**PowerShell**](#tab/powershell)
1. Use [Add-AzNetworkSecurityRuleConfig](/powershell/module/az.network/add-aznetworksecurityruleconfig) to create a security rule that allows traffic from the Bastion subnet. Then use [Set-AzNetworkSecurityGroup](/powershell/module/az.network/set-aznetworksecuritygroup) to update the network security group with the new security rule.
1. Use [Invoke-AzNetworkWatcherNetworkConfigurationDiagnostic](/powershell/module/az.network/invoke-aznetworkwatchernetworkconfigurationdiagnostic) to recheck using a new NSG diagnostics session.
1. Create a default network security group using [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup).
1. Create a subnet configuration for the virtual machine subnet and the Bastion host subnet using [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig).
1. Create a virtual network using [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork).
1. Create the public IP address resource required for the Bastion host using [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress).
---
> [!IMPORTANT]
> Hourly pricing starts from the moment Bastion host is deployed, regardless of outbound data usage. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/azure-bastion/). We recommend that you delete this resource once you've finished using it.
## Create a virtual machine
In this section, you create a virtual machine and a network security group applied to its network interface.
# [**Portal**](#tab/portal)
1. In the search box at the top of the portal, enter ***virtual machines***. Select **Virtual machines** from the search results.
1. Select **+ Create** and then select **Azure virtual machine**.
1. In **Create a virtual machine**, enter or select the following values in the **Basics** tab:
| Setting | Value |
| --- | --- |
| **Project Details** | |
| Subscription | Select your Azure subscription. |
| Resource Group | Select **myResourceGroup**. |
| **Instance details** | |
| Virtual machine name | Enter ***myVM***. |
| Region | Select **(US) East US**. |
| Availability Options | Select **No infrastructure redundancy required**. |
| Security type | Select **Standard**. |
| Image | Select **Windows Server 2022 Datacenter: Azure Edition - x64 Gen2**. |
| Size | Choose a size or leave the default setting. |
| **Administrator account** | |
| Username | Enter a username. |
| Password | Enter a password. |
| Confirm password | Reenter password. |
1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.
1. In the Networking tab, select the following values:
| Setting | Value |
| --- | --- |
| **Network interface** | |
| Virtual network | Select **myVNet**. |
| Subnet | Select **default**. |
| Public IP | Select **None**. |
| NIC network security group | Select **Basic**. |
| Public inbound ports | Select **None**. |
1. Select **Review + create**.
1. Review the settings, and then select **Create**.
# [**PowerShell**](#tab/powershell)
1. Create a default network security group using [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup).
---
## Add a security rule to the network security group
In this section, you add a security rule to the network security group associated with the network interface of **myVM**. The rule denies any inbound traffic from the virtual network.
# [**Portal**](#tab/portal)
1. In the search box at the top of the portal, enter ***network security groups***. Select **Network security groups** from the search results.
1. From the list of network security groups, select **myVM-nsg**.
1. Under **Settings**, select **Inbound security rules**.
1. Select **+ Add**. In the Networking tab, enter or select the following values:
| Setting | Value |
| --- | --- |
| Source | Select **Service Tag**. |
| Source service tag | Select **VirtualNetwork**. |
| Source port ranges | Enter *. |
| Destination | Select **Any**. |
| Service | Select **Custom**. |
| Destination port ranges | Enter *. |
| Protocol | Select **Any**. |
| Action | Select **Deny**. |
| Priority | Enter ***1000***. |
| Name | Enter ***DenyVnetInBound***. |
1. Select **Add**.
:::image type="content" source="./media/diagnose-network-security-rules/add-inbound-security-rule.png" alt-text="Screenshot shows how to add an inbound security rule to the network security group in the Azure portal.":::
# [**PowerShell**](#tab/powershell)
Use [Add-AzNetworkSecurityRuleConfig](/powershell/module/az.network/add-aznetworksecurityruleconfig) to create a security rule that denies traffic from the virtual network. Then use [Set-AzNetworkSecurityGroup](/powershell/module/az.network/set-aznetworksecuritygroup) to update the network security group with the new security rule.
---
> [!NOTE]
> The **VirtualNetwork** service tag represents the address space of the virtual network, all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. For more information, see [Service tags](../virtual-network/service-tags-overview.md).
## Check security rules applied to a virtual machine traffic
Use NSG diagnostics to check the security rules applied to the traffic originated from the Bastion subnet to the virtual machine.
# [**Portal**](#tab/portal)
1. In the search box at the top of the portal, search for and select **Network Watcher**.
1. Under **Network diagnostic tools**, select **NSG diagnostics**.
1. On the **NSG diagnostics** page, enter or select the following values:
| Setting | Value |
| ------- | ------ |
| **Target resource** | |
| Target resource type | Select **Virtual machine**. |
| Virtual machine | Select **myVM** virtual machine. |
| **Traffic details** | |
| Protocol | Select **TCP**. Other available options are: **Any**, **UDP** and **ICMP**. |
| Direction | Select **Inbound**. Other available option is: **Outbound**. |
| Source type | Select **IPv4 address/CIDR**. Other available option is: **Service Tag**. |
| IPv4 address/CIDR | Enter ***10.0.1.0/26***, which is the IP address range of the Bastion subnet. Acceptable values are: single IP address, multiple IP addresses, single IP prefix, multiple IP prefixes. |
| Destination IP address | Leave the default of **10.0.0.4**, which is the IP address of **myVM**. |
| Destination port | Enter * to include all ports. |
:::image type="content" source="./media/diagnose-network-security-rules/nsg-diagnostics-vm-values.png" alt-text="Screenshot showing required values for NSG diagnostics to test inbound connections to a virtual machine in the Azure portal." lightbox="./media/diagnose-network-security-rules/nsg-diagnostics-vm-values.png":::
1. Select **Run NSG diagnostics** to run the test. Once NSG diagnostics completes checking all security rules, it displays the result.
:::image type="content" source="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-denied.png" alt-text="Screenshot showing the result of inbound connections to the virtual machine as Denied." lightbox="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-denied.png":::
The result shows that there are three security rules assessed for the inbound connection from the Bastion subnet:
- **GlobalRules**: this security admin rule is applied at the virtual network level using Azure Virtual Network Manage. The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- **mySubnet-nsg**: this network security group is applied at the subnet level (subnet of the virtual machine). The rule allows inbound TCP traffic from the Bastion subnet to the virtual machine.
- **myVM-nsg**: this network security group is applied at the network interface (NIC) level. The rule denies inbound TCP traffic from the Bastion subnet to the virtual machine.
1. Select **View details** of **myVM-nsg** to see details about the security rules that this network security group has and which rule is denying the traffic.
:::image type="content" source="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-denied-details.png" alt-text="Screenshot showing the details of the network security group that denied the traffic to the virtual machine." lightbox="./media/diagnose-network-security-rules/nsg-diagnostics-vm-test-result-denied-details.png":::
In **myVM-nsg** network security group, the security rule **DenyVnetInBound** denies any traffic coming from the address space of **VirtualNetwork** service tag to the virtual machine. The Bastion host uses IP addresses from the address range: **10.0.1.0/26**, which is included in **VirtualNetwork** service tag, to connect to the virtual machine. Therefore, the connection from the Bastion host is denied by the **DenyVnetInBound** security rule.
# [**PowerShell**](#tab/powershell)
Use [Invoke-AzNetworkWatcherNetworkConfigurationDiagnostic](/powershell/module/az.network/invoke-aznetworkwatchernetworkconfigurationdiagnostic) to start the NSG diagnostics session.
The security rule **AllowBastionConnections** allows the traffic from any IP address in **10.0.1.0/26** to the virtual machine. Because the Bastion host uses IP addresses from **10.0.1.0/26**, its connection to the virtual machine is allowed by the **AllowBastionConnections** security rule.
---
## Clean up resources
When no longer needed, delete the resource group and all of the resources it contains:
# [**Portal**](#tab/portal)
1. In the search box at the top of the portal, enter ***myResourceGroup***. Select **myResourceGroup** from the search results.
1. Select **Delete resource group**.
1. In **Delete a resource group**, enter ***myResourceGroup***, and then select **Delete**.
1. Select **Delete** to confirm the deletion of the resource group and all its resources.
# [**PowerShell**](#tab/powershell)
Use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to delete the resource group and all of the resources it contains.