Skip to content

Associate NSGs or clean them up#

Cost Optimization · Network Security Group · Rule · 2020_06 · Awareness

Network Security Groups (NSGs) should be associated to a subnet or network interface.


NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.


Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads.


Configure with Azure CLI#

To find orphaned NSG's run the following Azure CLI command:

Azure CLI snippet
az network nsg list -g $rgName --query "[?(subnets==null) && (networkInterfaces==null)].id" -o tsv