How To Set Multiple IP Addresses on One NSG Rule in Azure Stack

3 min read


With the introduction of Augmented rules for Network Security Groups (NSGs) in Azure, you can define larger, more complex network security policies with fewer rules. Multiple ports, multiple explicit IP addresses, service tags, and application security groups can all be combined into a single, easily understood security rule.

Unfortunately, Augmented rules is not available in Azure Stack as of writing this article. Network security groups (NSGs) do not work in Azure Stack in the same way as global Azure. In Azure, you can set multiple IPs and Ports on one NSG rule (using the Portal, PowerShell, and Resource Manager templates).

In Azure Stack however, you cannot set multiple IPs and Ports on one NSG rule via the portal.

To check the difference between Azure and Azure Stack networking, I highly recommend to keep checking the following Cheat Sheet document.

Set Multiple IPs on one NSG Rule in Azure Stack

Now what if you have a little less than a hundred of IPs to add as whitelists, and a large number of protocols to open on Azure Stack, you can hardly do it by hand on each NSG rule.

The good news is, starting with Azure Stack Update 1903, you can set multiple IPs and Ports on one NSG rule using either Resource Manager template, PowerShell, or Azure CLI.

What about the Portal??? Well this is ‘technically’ possible to do it via the Azure Stack portal due to a bug.

To set multiple IPs on one NSG Rule in the Azure Stack portal, take the following easy steps:

  1. Add first an NSG rule (Inbound or Outbound) with multiple IP addresses and single port, wait for it to throw an error ! as shown in the following screenshot, and then switch to Basic. By default, when you add an NSG rule, the configuration will be in Advanced mode.
  2. Once you are in Basic mode, you can click Add now.
  3. One the rule is added, you can verify the multiple IP addresses are set as desired :)

Unfortunately, you cannot add multiple ports range in the Azure Stack portal. This workaround applies only to Source and Destination IP address range. If you want to set multiple ports, then you need Resource Manager template, PowerShell, or Azure CLI.

Please note that this is not officially supported by Microsoft. It’s a workaround and hopefully Microsoft will address it in the near future.

Hope this helps!

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 559 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.