Network Security Groups

What it does

Network Security Groups (NSGs) allow AI agents to define granular firewall rules for Azure virtual networks, controlling inbound and outbound traffic based on source IP, destination, port, and protocol. This capability enables automated enforcement of security policies to isolate resources and prevent unauthorized access within cloud infrastructure.

When to use it

• Automating the creation of default deny-all rules for new virtual network subnets during provisioning.
• Dynamically updating firewall allow-lists when a developer adds a new public-facing web server.
• Restricting database access so that only specific application tier IPs can connect on port 3306 or 5432.
• Implementing compliance checks to ensure no NSG rules permit traffic from untrusted IP ranges.

Key capabilities

• Define inbound and outbound security rules for Azure virtual networks.
• Specify source and destination IP addresses, prefixes, or service tags.
• Filter traffic by protocol (TCP, UDP, ICMP) and port numbers.
• Set priority levels to determine rule evaluation order when conflicts occur.
• Enable or disable specific rules to toggle access instantly without redeployment.

Example prompts

• "Create a network security group for my Azure VM that allows inbound SSH traffic from my home IP address 203.0.113.5 on port 22."
• "Update the NSG attached to my database subnet to deny all outbound traffic except DNS and HTTPS."
• "Generate a script to audit my virtual network's NSGs and list any rules that allow inbound access from 0.0.0.0/0 on high-risk ports."

Tips & gotchas

Ensure you understand the rule priority system, as Azure evaluates rules numerically from lowest to highest; lower numbers take precedence over higher ones. Always test rules in a staging environment first, as misconfigured NSGs can inadvertently lock you out of your virtual machines if you block management ports like RDP or SSH.