• Auto-create Default Outbound NSG for Servers in Azure


    In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

    NSG can be associated to subnets, individual NICs or both.

    By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

    There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

    I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.


    Code – new

    The following script uses Azure Powershell az.

    As it doesn’t support GUI yet so there are more parameters to set before running it.

    Code – old

    The following script uses Azure Powershell.

    Adjust the 3 parameters before running it.

    After running the code

    After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

    • public DNS servers
    • email services
    • kms.core.windows.net:1688
    • APIs,
    • etc, that your applications may also need to access

    Then, you can create a rule at the end of the NSG to block all outbound traffic.


    [1] https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/

    [2] https://serverfault.com/questions/888645/nsg-block-all-outbount-internet-traffic