Skip to content

Associate NSGs or clean them up#

Operational Excellence · Network Security Group · Rule · 2020_06 · Awareness

Network Security Groups (NSGs) should be associated to a subnet or network interface.


NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.


Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads

To find orphaned NSG's run the following Azure CLI command

Azure CLI snippet
az network nsg list -g $rgName --query "[?(subnets==null) && (networkInterfaces==null)].id" -o tsv