Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-01-01
- 2024-10-01
- 2024-07-01
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-12-01
- 2018-11-01
- 2018-10-01
- 2018-08-01
- 2018-07-01
- 2018-06-01
- 2018-04-01
- 2018-02-01
- 2018-01-01
- 2017-11-01
- 2017-10-01
- 2017-09-01
- 2017-08-01
- 2017-06-01
- 2017-03-30
- 2017-03-01
- 2016-12-01
- 2016-09-01
- 2016-06-01
- 2016-03-30
- 2015-06-15
- 2015-05-01-preview
Remarks
For guidance on creating network security groups, see Create virtual network resources by using Bicep.
Bicep resource definition
The networkSecurityGroups/securityRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/networkSecurityGroups/securityRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/networkSecurityGroups/securityRules@2019-12-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    access: 'string'
    description: 'string'
    destinationAddressPrefix: 'string'
    destinationAddressPrefixes: [
      'string'
    ]
    destinationApplicationSecurityGroups: [
      {
        id: 'string'
        ___location: 'string'
        properties: {}
        tags: {
          {customized property}: 'string'
        }
      }
    ]
    destinationPortRange: 'string'
    destinationPortRanges: [
      'string'
    ]
    direction: 'string'
    priority: int
    protocol: 'string'
    sourceAddressPrefix: 'string'
    sourceAddressPrefixes: [
      'string'
    ]
    sourceApplicationSecurityGroups: [
      {
        id: 'string'
        ___location: 'string'
        properties: {}
        tags: {
          {customized property}: 'string'
        }
      }
    ]
    sourcePortRange: 'string'
    sourcePortRanges: [
      'string'
    ]
  }
}
Property Values
Microsoft.Network/networkSecurityGroups/securityRules
| Name | Description | Value | 
|---|---|---|
| name | The resource name | string (required) | 
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. | Symbolic name for resource of type: networkSecurityGroups | 
| properties | Properties of the security rule. | SecurityRulePropertiesFormat | 
ApplicationSecurityGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| ___location | Resource ___location. | string | 
| properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat | 
| tags | Resource tags. | ResourceTags | 
ApplicationSecurityGroupPropertiesFormat
| Name | Description | Value | 
|---|
ResourceTags
| Name | Description | Value | 
|---|
SecurityRulePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| access | The network traffic is allowed or denied. | 'Allow' 'Deny' (required) | 
| description | A description for this rule. Restricted to 140 chars. | string | 
| destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string | 
| destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] | 
| destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] | 
| destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| destinationPortRanges | The destination port ranges. | string[] | 
| direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' (required) | 
| priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int | 
| protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' (required) | 
| sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string | 
| sourceAddressPrefixes | The CIDR or source IP ranges. | string[] | 
| sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] | 
| sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| sourcePortRanges | The source port ranges. | string[] | 
ARM template resource definition
The networkSecurityGroups/securityRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/networkSecurityGroups/securityRules resource, add the following JSON to your template.
{
  "type": "Microsoft.Network/networkSecurityGroups/securityRules",
  "apiVersion": "2019-12-01",
  "name": "string",
  "properties": {
    "access": "string",
    "description": "string",
    "destinationAddressPrefix": "string",
    "destinationAddressPrefixes": [ "string" ],
    "destinationApplicationSecurityGroups": [
      {
        "id": "string",
        "___location": "string",
        "properties": {
        },
        "tags": {
          "{customized property}": "string"
        }
      }
    ],
    "destinationPortRange": "string",
    "destinationPortRanges": [ "string" ],
    "direction": "string",
    "priority": "int",
    "protocol": "string",
    "sourceAddressPrefix": "string",
    "sourceAddressPrefixes": [ "string" ],
    "sourceApplicationSecurityGroups": [
      {
        "id": "string",
        "___location": "string",
        "properties": {
        },
        "tags": {
          "{customized property}": "string"
        }
      }
    ],
    "sourcePortRange": "string",
    "sourcePortRanges": [ "string" ]
  }
}
Property Values
Microsoft.Network/networkSecurityGroups/securityRules
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2019-12-01' | 
| name | The resource name | string (required) | 
| properties | Properties of the security rule. | SecurityRulePropertiesFormat | 
| type | The resource type | 'Microsoft.Network/networkSecurityGroups/securityRules' | 
ApplicationSecurityGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| ___location | Resource ___location. | string | 
| properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat | 
| tags | Resource tags. | ResourceTags | 
ApplicationSecurityGroupPropertiesFormat
| Name | Description | Value | 
|---|
ResourceTags
| Name | Description | Value | 
|---|
SecurityRulePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| access | The network traffic is allowed or denied. | 'Allow' 'Deny' (required) | 
| description | A description for this rule. Restricted to 140 chars. | string | 
| destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string | 
| destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] | 
| destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] | 
| destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| destinationPortRanges | The destination port ranges. | string[] | 
| direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' (required) | 
| priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int | 
| protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' (required) | 
| sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string | 
| sourceAddressPrefixes | The CIDR or source IP ranges. | string[] | 
| sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] | 
| sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| sourcePortRanges | The source port ranges. | string[] | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| Deploy Darktrace Autoscaling vSensors | This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors | 
Terraform (AzAPI provider) resource definition
The networkSecurityGroups/securityRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/networkSecurityGroups/securityRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/networkSecurityGroups/securityRules@2019-12-01"
  name = "string"
  parent_id = "string"
  body = {
    properties = {
      access = "string"
      description = "string"
      destinationAddressPrefix = "string"
      destinationAddressPrefixes = [
        "string"
      ]
      destinationApplicationSecurityGroups = [
        {
          id = "string"
          ___location = "string"
          properties = {
          }
          tags = {
            {customized property} = "string"
          }
        }
      ]
      destinationPortRange = "string"
      destinationPortRanges = [
        "string"
      ]
      direction = "string"
      priority = int
      protocol = "string"
      sourceAddressPrefix = "string"
      sourceAddressPrefixes = [
        "string"
      ]
      sourceApplicationSecurityGroups = [
        {
          id = "string"
          ___location = "string"
          properties = {
          }
          tags = {
            {customized property} = "string"
          }
        }
      ]
      sourcePortRange = "string"
      sourcePortRanges = [
        "string"
      ]
    }
  }
}
Property Values
Microsoft.Network/networkSecurityGroups/securityRules
| Name | Description | Value | 
|---|---|---|
| name | The resource name | string (required) | 
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: networkSecurityGroups | 
| properties | Properties of the security rule. | SecurityRulePropertiesFormat | 
| type | The resource type | "Microsoft.Network/networkSecurityGroups/securityRules@2019-12-01" | 
ApplicationSecurityGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| ___location | Resource ___location. | string | 
| properties | Properties of the application security group. | ApplicationSecurityGroupPropertiesFormat | 
| tags | Resource tags. | ResourceTags | 
ApplicationSecurityGroupPropertiesFormat
| Name | Description | Value | 
|---|
ResourceTags
| Name | Description | Value | 
|---|
SecurityRulePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| access | The network traffic is allowed or denied. | 'Allow' 'Deny' (required) | 
| description | A description for this rule. Restricted to 140 chars. | string | 
| destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string | 
| destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] | 
| destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] | 
| destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| destinationPortRanges | The destination port ranges. | string[] | 
| direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' (required) | 
| priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int | 
| protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' (required) | 
| sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string | 
| sourceAddressPrefixes | The CIDR or source IP ranges. | string[] | 
| sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] | 
| sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string | 
| sourcePortRanges | The source port ranges. | string[] | 
Usage Examples
Terraform Samples
A basic example of deploying Network Security Rule.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "___location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}
resource "azapi_resource" "networkSecurityGroup" {
  type      = "Microsoft.Network/networkSecurityGroups@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = "mi-security-group1-230630034008554952"
  ___location  = var.___location
  body = {
    properties = {
      securityRules = [
      ]
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  lifecycle {
    ignore_changes = [body.properties.securityRules]
  }
}
resource "azapi_resource" "securityRule" {
  type      = "Microsoft.Network/networkSecurityGroups/securityRules@2022-09-01"
  parent_id = azapi_resource.networkSecurityGroup.id
  name      = "allow_management_inbound"
  body = {
    properties = {
      access                   = "Allow"
      destinationAddressPrefix = "*"
      destinationPortRange     = ""
      destinationPortRanges = [
        "9000",
        "1438",
        "1440",
        "9003",
        "1452",
      ]
      direction           = "Inbound"
      priority            = 106
      protocol            = "Tcp"
      sourceAddressPrefix = "*"
      sourcePortRange     = "*"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}