Auto-create Default Outbound NSG for Servers in Azure


In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

NSG can be associated to subnets, individual NICs or both.

By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.


Code – new

The following script uses Azure Powershell az.

As it doesn’t support GUI yet so there are more parameters to set before running it.

Code – old

The following script uses Azure Powershell.

Adjust the 3 parameters before running it.

After running the code

After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

  • public DNS servers
  • email services
  • APIs,
  • etc, that your applications may also need to access

Then, you can create a rule at the end of the NSG to block all outbound traffic.




Leave a Reply