Associate NSGs or clean them up

Cost Optimization · Network Security Group · Rule · 2020_06 · Awareness

Network Security Groups (NSGs) should be associated to a subnet or network interface.

Description

NSGs are basic stateful firewalls that are deployed as separate resources within your subscriptions. Each NSG can be associated to one or more network interfaces or subnets. NSGs that are not associated with a network interface or subnet perform no purpose and add to administration overhead.

Recommendation

Consider cleaning up NSGs that are not required to reduce technical debt. Also consider using Resource Groups to help manage the lifecycle of related resources together. Apply tags to all resources to help identify resources that are attached to specific workloads.

Examples

Configure with Azure CLI

To find orphaned NSG's run the following Azure CLI command:

Azure CLI snippet

az network nsg list -g $rgName --query "[?(subnets==null) && (networkInterfaces==null)].id" -o tsv

Links

• CO:13 Personnel time
• Orphaned Resources Workbook
• Modify, create and delete NSG's using the CLI
• Network security groups
• Azure deployment reference

Comments