You dont have javascript enabled! Please enable it!

How To Set Multiple IP Addresses on One NSG Rule in Azure Stack

2 Min. Read

In this guide, we will show you how to set multiple IP addresses on One NSG Rule in Azure Stack Hub.

Introduction

With the introduction of Augmented rules for Network Security Groups (NSGs) in Azure, you can define larger, more complex network security policies with fewer rules. Multiple ports, multiple explicit IP addresses, service tags, and application security groups can all be combined into a single, easily understood security rule.

Unfortunately, Augmented rules are not available in Azure Stack Hub as of writing this article. Network security groups (NSGs) do not work in Azure Stack Hub in the same way as global Azure.

You can set multiple IPs and Ports in Azure on one NSG rule (using the Portal, PowerShell, and Resource Manager templates).

Add inbound security rule in Azure
Add inbound security rule in Azure

In Azure Stack Hub, however, you cannot set multiple IPs and Ports on one NSG rule via the portal.

Add inbound security rule in Azure Stack Hub
Add inbound security rule in Azure Stack Hub

To check the difference between Azure and Azure Stack Hub networking, I highly recommend checking the following Cheat Sheet document.

Set Multiple IPs on one NSG Rule in Azure Stack

Now, what if you have a little less than a hundred of IPs to add as whitelists, and a large number of protocols to open on Azure Stack, you can hardly do it by hand on each NSG rule.

The good news is, starting with Azure Stack Update 1903, you can set multiple IPs and Ports on one NSG rule using either Resource Manager template, PowerShell, or Azure CLI.

What about the Azure Stack Portal?

Well, this is ‘technically’ possible to do it via the Azure Stack portal due to a bug.

To set multiple IPs on one NSG Rule in the Azure Stack portal, take the following easy steps:

1) Add first an NSG rule (Inbound or Outbound) with multiple IP addresses and a single port, wait for it to throw an error ! as shown in the following screenshot, and then switch to Basic.

By default, when you add an NSG rule, the configuration will be in Advanced mode.

How To Set Multiple IP Addresses on One NSG Rule in Azure Stack 1

2) Once you are in Basic mode, you can click Add now.

How To Set Multiple IP Addresses on One NSG Rule in Azure Stack 2

3) Once the rule is added, you can verify the multiple IP addresses are set as desired :)

How To Set Multiple IP Addresses on One NSG Rule in Azure Stack 3

Unfortunately, you cannot add multiple ports range in the Azure Stack portal. This workaround applies only to Source and Destination IP address range. If you want to set multiple ports, then you need a Resource Manager template, PowerShell, or Azure CLI.

Please note that this is not officially supported by Microsoft. It’s a workaround and hopefully, Microsoft will address that in the near future.

There you have it!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts

Previous

Get The List of Network Security Groups with RDP Port Open using Azure Cloud Shell

How to Deploy a Secure FTP (SFTP) Service on Microsoft Azure

Next

4 thoughts on “How To Set Multiple IP Addresses on One NSG Rule in Azure Stack”

Leave a comment...

  1. Hi Charbel, thank you for article,
    I have a question. I have a list IP address that I want to allow access to multi VMs.
    First, I attach to 1st VM a NSG A which allows my white list IPs
    Second, I attach to 2nd VM a NSG B which allows my white list IPs
    In case I have to update whitelist IP, I need to update both 2 NSG A and NSG B.
    Are there any way allow me to update only 1 NSG, then other NSG apply it automatically?

  2. Thank you Hoang for the comment!
    Yes, you can update one NSG rules and have it applied on both VMs automatically.
    You need to look at Application Security Groups (ASG) in this case.
    Please check here and let me know if this solve your challenge.

    To minimize the number of security rules you need, and the need to change the rules, plan out the application security groups you need and create rules using service tags or application security groups, rather than individual IP addresses, or ranges of IP addresses, whenever possible.

    Thanks!

  3. Good day. I can add multiple IP addresses to an NSG rule, but only the first two IP addresses work. For example, if I allow three IPs to be able to RDP into a server, I can RDP from the first two entries but not the third. I am not sure where I am going wrong. Any ideas?

  4. Hello Ram, thanks for your comment!
    Are you referring to Azure Stack Hub or Azure Global?
    You should be able to RDP from all IP addresses that you allowed in your inbound security NSG rule.
    Please double-check.

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the \'Code Blocks\' in \'Black\' by selecting the Code. Thank You!