Skip to content

Network Security Group name must be valid#

Operational Excellence · Network Security Group · Rule · 2020_06 · Awareness

Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.

Description#

When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:

  • Between 1 and 80 characters long.
  • Alphanumerics, underscores, periods, and hyphens.
  • Start with alphanumeric.
  • End alphanumeric or underscore.
  • NSG names must be unique within a resource group.

Recommendation#

Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention.

Examples#

Configure with Bicep#

To deploy Network Security Groups that pass this rule:

  • Set the name property to a string that matches the naming requirements.
  • Optionally, consider constraining name parameters with minLength and maxLength attributes.

For example:

Azure Bicep snippet
@minLength(1)
@maxLength(80)
@description('The name of the resource.')
param name string

@description('The location resources will be deployed.')
param location string = resourceGroup().location

resource nsg 'Microsoft.Network/networkSecurityGroups@2024-05-01' = {
  name: name
  location: location
  properties: {
    securityRules: [
      {
        name: 'AllowLoadBalancerHealthInbound'
        properties: {
          description: 'Allow inbound Azure Load Balancer health check.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 100
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: 'AzureLoadBalancer'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'AllowApplicationInbound'
        properties: {
          description: 'Allow internal web traffic into application.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 300
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: '10.0.0.0/8'
          destinationPortRange: '443'
          destinationAddressPrefix: 'VirtualNetwork'
        }
      }
      {
        name: 'DenyAllInbound'
        properties: {
          description: 'Deny all other inbound traffic.'
          access: 'Deny'
          direction: 'Inbound'
          priority: 4000
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: '*'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'DenyTraversalOutbound'
        properties: {
          description: 'Deny outbound double hop traversal.'
          access: 'Deny'
          direction: 'Outbound'
          priority: 200
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: 'VirtualNetwork'
          destinationAddressPrefix: '*'
          destinationPortRanges: [
            '3389'
            '22'
          ]
        }
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/network-security-group:<version>

To use the latest version:

br/public:avm/res/network/network-security-group:0.5.1

Configure with Azure template#

To deploy Network Security Groups that pass this rule:

  • Set the name property to a string that matches the naming requirements.
  • Optionally, consider constraining name parameters with minLength and maxLength attributes.

For example:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.34.44.8038",
      "templateHash": "3901699113779854347"
    }
  },
  "parameters": {
    "name": {
      "type": "string",
      "minLength": 1,
      "maxLength": 80,
      "metadata": {
        "description": "The name of the resource."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location resources will be deployed."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2024-05-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "AllowLoadBalancerHealthInbound",
            "properties": {
              "description": "Allow inbound Azure Load Balancer health check.",
              "access": "Allow",
              "direction": "Inbound",
              "priority": 100,
              "protocol": "*",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "AzureLoadBalancer",
              "destinationPortRange": "*",
              "destinationAddressPrefix": "*"
            }
          },
          {
            "name": "AllowApplicationInbound",
            "properties": {
              "description": "Allow internal web traffic into application.",
              "access": "Allow",
              "direction": "Inbound",
              "priority": 300,
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "10.0.0.0/8",
              "destinationPortRange": "443",
              "destinationAddressPrefix": "VirtualNetwork"
            }
          },
          {
            "name": "DenyAllInbound",
            "properties": {
              "description": "Deny all other inbound traffic.",
              "access": "Deny",
              "direction": "Inbound",
              "priority": 4000,
              "protocol": "*",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationPortRange": "*",
              "destinationAddressPrefix": "*"
            }
          },
          {
            "name": "DenyTraversalOutbound",
            "properties": {
              "description": "Deny outbound double hop traversal.",
              "access": "Deny",
              "direction": "Outbound",
              "priority": 200,
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "VirtualNetwork",
              "destinationAddressPrefix": "*",
              "destinationPortRanges": [
                "3389",
                "22"
              ]
            }
          }
        ]
      }
    }
  ]
}

Notes#

This rule does not check if NSG names are unique.

If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep

Comments