Create network security groups on Azure Local (preview)

• You have access to an Azure Local instance.

  • This instance must run version 2506 with OS version 26100.xxxx or later.
  • This instance has a custom ___location.
  • You have access to an Azure subscription with the Azure Stack HCI Administrator role-based access control (RBAC) role. This role grants full access to your Azure Local instance and its resources. For more information, see Assign Azure Local RBAC roles.
  • This instance has the SDN feature enabled. For more information, see Enable software defined networking (SDN) on Azure Local.
  • You have at least one static logical network and one static network interface on this instance. For more information, see Create logical networks and Create network interfaces.
  • If you use a client to connect to your Azure Local, make sure you install the latest Azure CLI and the az-stack-hci-vm extension. For more information, see Azure Local VM management prerequisites.

• You have access to an Azure Local instance.

  • This instance must run version 2506 with OS version 26100.xxxx or later.
  • This instance has a custom ___location.
  • You have access to an Azure subscription with the Azure Stack HCI Administrator role-based access control (RBAC) role. This role grants full access to your Azure Local instance and its resources. For more information, see Assign Azure Local RBAC roles.
  • This instance has the SDN feature enabled. For more information, see Enable software defined networking (SDN) on Azure Local.

Sign in and set subscription

1. Connect to a machine on your Azure Local.

2. Sign in. Type:

   az login --use-device-code
   

3. Set your subscription.

   az account set --subscription <Subscription ID>
   

Create a network security group (NSG)

Create a network security group (NSG) to manage data traffic flow on Azure Local. You can create an NSG by itself or associate it with a network interface or a logical network.

NSGs are available only for static logical networks. DHCP-based logical networks aren't supported.

1. Set the following parameters in your Azure CLI session.

   $resource_group="examplerg"      
   $nsgname="examplensg"     
   $customLocationId="/subscriptions/<Subscription ID>/resourcegroups/examplerg/providers/microsoft.extendedlocation/customlocations/examplecl" 
   $___location="eastus"
   

   The parameters for network security group creation are tabulated as follows:

   Parameters	Description
   name	Name for the network security group that you create. Make sure to provide a name that follows the Rules for Azure resources.
   ___location	Azure region to associate with your network security group. For example, this could be eastus, westeurope. For ease of management, we recommend that you use the same ___location as your Azure Local instance.
   resource-group	Name of the resource group where you create the network security group. For ease of management, we recommend that you use the same resource group as your Azure Local.
   subscription	Name or ID of the subscription where your Azure Local is deployed.
   custom-___location	Custom ___location associated with your Azure Local.

2. Run the following command to create a network security group (NSG) on your Azure Local instance.

   az stack-hci-vm network nsg create -g $resource_group --name $nsgname --custom-___location $customLocationId --___location $___location  
   

3. The command creates a network security group (NSG) with the specified name and associates it with the specified custom ___location.

   Expand to see an example output.

   { 
     "eTag": null, 
     "extendedLocation": { 
   
       "name": "/subscriptions/<Subscription ID>/resourcegroups/examplerg/providers/microsoft.extendedlocation/customlocations/examplecl", 
       "type": "CustomLocation" 
   
     }, 
   
     "id": "/subscriptions/<Subscription ID>/resourceGroups/examplerg/providers/Microsoft.AzureStackHCI/networkSecurityGroups/examplensg", 
   
     "___location": "eastus", 
     "name": "examplensg", 
     "properties": { 
       "networkInterfaces": [], 
       "provisioningState": "Succeeded", 
       "subnets": [] 
     }, 
   
     "resourceGroup": "examplerg", 
     "systemData": { 
       "createdAt": "2025-03-11T22:56:05.968402+00:00", 
       "createdBy": "gus@contoso.com", 
       "createdByType": "User", 
       "lastModifiedAt": "2025-03-11T22:56:13.438321+00:00", 
       "lastModifiedBy": "<User ID>", 
       "lastModifiedByType": "Application" 
     }, 
   
     "tags": null, 
     "type": "microsoft.azurestackhci/networksecuritygroups" 
   } 
   

Create a network security rule

After you create a network security group, create network security rules. To apply rules to both inbound and outbound traffic, create two rules.

Create an inbound security rule

1. Set the following parameters in your Azure CLI session.

   $resource_group="examplerg"      
   $nsgname="examplensg"     
   $customLocationId="/subscriptions/<Subscription ID>/resourcegroups/examplerg/providers/microsoft.extendedlocation/customlocations/examplecl" 
   $___location="eastus"
   $securityrulename="examplensr" 
   $sportrange="*" 
   $saddprefix="10.0.0.0/24" 
   $dportrange="80" 
   $daddprefix="192.168.99.0/24" 
   $description="Inbound security rule" 
   

   The parameters for network security group creation are tabulated as follows:

   Parameters	Description
   name	Name for the network security rule that you create for your Azure Local. Make sure to provide a name that follows the Rules for Azure resources.
   nsg-name	Name for the network security group that contains this network security rule. Make sure to provide a name that follows the Rules for Azure resources.
   ___location	Azure regions as specified by az locations. For example, this could be eastus, westeurope. If the ___location isn't specified, the resource group ___location is used.
   resource-group	Name of the resource group where you create the network security group. For ease of management, we recommend that you use the same resource group as your Azure Local.
   subscription	Name or ID of the subscription where your Azure Local is deployed. This could be another subscription you use for your Azure Local VMs.
   custom-___location	Use this to provide the custom ___location associated with your Azure Local where you're creating this network security group.
   direction	Direction of the rule specifies if the rule applies to incoming or outgoing traffic. Allowed values are outbound or inbound (default).
   source-port-ranges	Specify the source port range 0 and 65535 to match either an incoming or outgoing packet. The default * will specify all source ports.
   source-address-prefixes	Specify the CIDR or destination IP ranges. The default is *.
   destination-address-prefixes	Specify the CIDR or destination IP ranges. The default is *.
   destination-port-ranges	Enter a specific port or a port range that this rule allows or denies. Enter an asterisk (*) to allow traffic on any port.
   protocol	Protocol to match either an incoming or outgoing packet. Acceptable values are * (default), All, TCP and UDP.
   access	If the above conditions are matched, specify either to allow or block the packet. Acceptable values are Allow and Deny with default being Allow.
   priority	Specify a unique priority for each rule in the collection. Acceptable values are from 100 to 4096. A lower value denotes a higher priority.
   description	An optional description for this network security rule. The description is a maximum of 140 characters.

2. Run the following command to create an inbound network security rule on your Azure Local instance. This rule blocks all inbound ICMP traffic to Azure Local VMs (except the management ports you want enabled) and allows all outbound access.

   az stack-hci-vm network nsg rule create -g $resource_group --nsg-name $nsgname --name $securityrulename --priority 400 --custom-___location $customLocationId --access "Deny" --direction "Inbound" --___location $___location --protocol "*" --source-port-ranges $sportrange --source-address-prefixes $saddprefix --destination-port-ranges $dportrange --destination-address-prefixes $daddprefix --description $description  
   

3. The command creates a network security rule and associates it with the specified network security group.  
   
   

   Expand this section to see an example output.

   { 
     "extendedLocation": { 
       "name": "/subscriptions/<Subscription ID>/resourcegroups/examplerg/providers/microsoft.extendedlocation/customlocations/examplecl", 
       "type": "CustomLocation" 
     }, 
   
     "id": "/subscriptions/<Subscription ID>/resourceGroups/examplerg/providers/Microsoft.AzureStackHCI/networkSecurityGroups/examplensg/securityRules/examplensr", 
     "name": "examplensr", 
     "properties": { 
       "access": "Deny", 
       "description": "Inbound security rule", 
       "destinationAddressPrefixes": [ 
         "192.168.99.0/24" 
       ], 
   
       "destinationPortRanges": [ 
         "80" 
       ], 
   
       "direction": "Inbound", 
       "priority": 400, 
       "protocol": "Icmp", 
       "provisioningState": "Succeeded", 
       "sourceAddressPrefixes": [ 
         "10.0.0.0/24" 
       ], 
   
       "sourcePortRanges": [ 
         "*" 
       ] 
   
     }, 
   
     "resourceGroup": "examplerg", 
     "systemData": { 
       "createdAt": "2025-03-11T23:25:37.369940+00:00", 
       "createdBy": "gus@contoso.com", 
       "createdByType": "User", 
       "lastModifiedAt": "2025-03-11T23:25:37.369940+00:00", 
       "lastModifiedBy": "gus@contoso.com", 
       "lastModifiedByType": "User" 
     }, 
   
     "type": "microsoft.azurestackhci/networksecuritygroups/securityrules" 
   } 
   
   

Create an outbound security rule

Run the following command to create an outbound network security rule that blocks all network traffic.

az stack-hci-vm network nsg rule create -g $resource_group --nsg-name $nsgname --name $securityrulename --priority 500 --custom-___location $customLocationId --access "Deny" --direction "Outbound" --___location $___location --protocol "*" --source-port-ranges $sportrange --source-address-prefixes $saddprefix --destination-port-ranges $dportrange --destination-address-prefixes $daddprefix --description $description

Create a network security group

Follow these steps in the Azure portal to create a network security group.

1. Go to Azure Local resource page > Resources > Network security groups. You see a list of network security groups on your Azure Local.

   

2. In the right pane, select + Create network security group from the top command bar.

   

3. On the Basics tab, enter the following information:

   

   1. Subscription - Choose the subscription you want to use for the NSG.
   2. Resource group - Create new or choose an existing resource group where you deploy all the resources associated with your Azure Local VM.
   3. Instance name - Enter a name for the network security group you wish to create.
   4. Region - Choose the Azure region where your Azure Local instance is deployed. The region must be the same as the region of the Azure Local instance.
   5. Custom ___location: Select the custom ___location associated with the Azure Local instance.
   6. Select Review + create.

4. On the Review + create tab, follow these steps:

   1. Review the settings.
   2. Select Create.

   

5. A job starts. When the job finishes, you see a notification. Select Go to resource. On the Resource group, you see the NSG.

   

6. Go to Azure Local cluster resource > Resources > Network security groups. The new NSG appears in the list of network security groups on your Azure Local.

   

Create a network security rule

Use the same procedure for both inbound and outbound security rules. The only difference is the direction of the rule.

Follow these steps in the Azure portal for your Azure Local:

1. Go to Azure Local resource page > Resources > Network security groups.

   

2. In the right pane, select a network security group from the list.

   

3. Go to Settings > Inbound security rules for inbound rules or Outbound security rules for outbound rules. In the right pane, select + Create from the top command bar.

   

4. In the Add inbound security rule page, enter the following information:

   

   1. Source - Choose between IP address or Any. The source specifies the incoming traffic from a specific IP address range that is allowed or denied by this rule.
   2. Source IP address/CIDR ranges - Provide an address range using CIDR notation (for example, 192.168.99.0/24) or an IP address (for example, 192.168.99.0) if you choose IP address as the source.
   3. Source port ranges - Provide a specific port or a port range that will be denied or allowed by this rule. Provide an asterisk* to allow traffic on any port.
   4. Destination - Choose between IP address or Any. The destination specifies the outgoing traffic to a specific IP address range that will be allowed or denied by this rule.
   5. Destination IP address/CIDR ranges - Provide an address range using CIDR notation (for example, 192.168.99.0/24) or an IP address (for example, 192.168.99.0) if you choose IP address as the destination.
   6. Destination port ranges - Provide a specific port or a port range that will be denied or allowed by this rule. Provide an asterisk* to allow traffic on any port.
   7. Protocol - Choose a protocol from Any, TCP, UDP, or ICMP. The protocol specifies the type of traffic that this rule allows or denies.
   8. Action - Choose between Allow or Deny. The action specifies whether this rule allows or denies matching traffic.
   9. Priority - Enter a number between 100 and 4096. The priority specifies the order in which the rules apply. Lower numbers are processed first.
   10. Name - Enter a name for the rule. The name must be unique in the network security group.
   11. Description - Enter a description for the rule. The description is optional.

5. Select Add.

6. Refresh the list. The new network security rule appears.

   

Create default network access policy

Create a default network access policy to block all inbound traffic to Azure Local VMs (except the management ports you want enabled) and allow all outbound access. Use these policies to make sure your VMs have access only to required assets, which helps prevent threats from spreading laterally.

You can attach a default network access policy to Azure Local VM in two ways:

• During VM creation. You need to attach the VM to a logical network. For more information, see Create a logical network.
• Post VM creation.

Apply default network access policy when creating a VM

While creating a VM, create a network interface and attach a default network access policy to it.

For more information, see Create Azure Local VM via Azure portal. In this procedure, when you reach the Networking tab, follow these steps to add a default network access policy:

1. On the Networking tab, select + Add network interface.

   

2. In the Add network interface page, enter the following information:

   

   1. Name - Enter a name for the network interface.
   2. Network - Select a logical network from the list of logical networks available in your Azure Local instance.
   3. IPv4 type - Select Static or Dynamic. If you select Static, enter a static IP address for the VM. If you select Dynamic, the system assigns a random IP address from the subnet.
   4. Allocation method: Select Automatic or Manual. If you select Automatic, the system assigns a random IP address from the subnet. If you select Manual, enter a static IP address for the VM.
   5. NIC Network security group - Choose one of the following options:
      1. None - Select this option if you don't want to enforce any network access policies on your VM. When you select this option, all ports on your VM are exposed to external networks, which poses a security risk. This option isn't recommended.
      2. Basic - Select this option to specify a default network access policy. The default policies block all inbound access and allow all outbound access. You can enable inbound access to one or more well defined ports, like HTTP, HTTPS, SSH, or RDP as needed.
      3. Advanced - Select this option to specify a network security group.
   6. Select Add.

3. Continue with the rest of the VM creation process.

Apply default network access policy to an existing VM

You can apply a default network access policy to an existing VM.