Associate NSGs or clean them up

Operational Excellence · Network Security Group · 2020_06

Network Security Groups (NSGs) should be associated to a subnet or network interface.

Description

NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.

Recommendation

Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads

To find orphaned NSG's run the following Azure CLI command

Azure CLI snippet

az network nsg list -g $rgName --query "[?(subnets==null) && (networkInterfaces==null)].id" -o tsv

Links

• Operational excellence principles
• Orphaned Resources Workbook
• Modify, create and delete NSG's using the CLI
• Azure deployment reference
• Network security groups

---

Last update: 2022-12-03

Comments