Associate NSGs or clean them up#
Network Security Groups (NSGs) should be associated to a subnet or network interface.
NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.
Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads
To find orphaned NSG's run the following Azure CLI command
az network nsg list -g $rgName --query "[?(subnets==null) && (networkInterfaces==null)].id" -o tsv
- Operational excellence principles
- Orphaned Resources Workbook
- Modify, create and delete NSG's using the CLI
- Azure deployment reference
- Network security groups