Network Security Group name must be valid#
Operational Excellence · Network Security Group · Rule · 2020_06 · Awareness
Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.
Description#
When naming Azure resources, resource names must meet service requirements. The requirements for NSG names are:
- Between 1 and 80 characters long.
- Alphanumerics, underscores, periods, and hyphens.
- Start with alphanumeric.
- End alphanumeric or underscore.
- NSG names must be unique within a resource group.
Recommendation#
Consider using names that meet Network Security Group naming requirements. Additionally consider naming resources with a standard naming convention.
Examples#
Configure with Bicep#
To deploy Network Security Groups that pass this rule:
- Set the
nameproperty to a string that matches the naming requirements. - Optionally, consider constraining name parameters with
minLengthandmaxLengthattributes.
For example:
Azure Bicep snippet
@minLength(1)
@maxLength(80)
@description('The name of the resource.')
param name string
@description('The location resources will be deployed.')
param location string = resourceGroup().location
resource nsg 'Microsoft.Network/networkSecurityGroups@2024-05-01' = {
name: name
location: location
properties: {
securityRules: [
{
name: 'AllowLoadBalancerHealthInbound'
properties: {
description: 'Allow inbound Azure Load Balancer health check.'
access: 'Allow'
direction: 'Inbound'
priority: 100
protocol: '*'
sourcePortRange: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
destinationPortRange: '*'
destinationAddressPrefix: '*'
}
}
{
name: 'AllowApplicationInbound'
properties: {
description: 'Allow internal web traffic into application.'
access: 'Allow'
direction: 'Inbound'
priority: 300
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: '10.0.0.0/8'
destinationPortRange: '443'
destinationAddressPrefix: 'VirtualNetwork'
}
}
{
name: 'DenyAllInbound'
properties: {
description: 'Deny all other inbound traffic.'
access: 'Deny'
direction: 'Inbound'
priority: 4000
protocol: '*'
sourcePortRange: '*'
sourceAddressPrefix: '*'
destinationPortRange: '*'
destinationAddressPrefix: '*'
}
}
{
name: 'DenyTraversalOutbound'
properties: {
description: 'Deny outbound double hop traversal.'
access: 'Deny'
direction: 'Outbound'
priority: 200
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: '*'
destinationPortRanges: [
'3389'
'22'
]
}
}
]
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure template#
To deploy Network Security Groups that pass this rule:
- Set the
nameproperty to a string that matches the naming requirements. - Optionally, consider constraining name parameters with
minLengthandmaxLengthattributes.
For example:
Azure Template snippet
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.34.44.8038",
"templateHash": "3901699113779854347"
}
},
"parameters": {
"name": {
"type": "string",
"minLength": 1,
"maxLength": 80,
"metadata": {
"description": "The name of the resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location resources will be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2024-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "AllowLoadBalancerHealthInbound",
"properties": {
"description": "Allow inbound Azure Load Balancer health check.",
"access": "Allow",
"direction": "Inbound",
"priority": 100,
"protocol": "*",
"sourcePortRange": "*",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationPortRange": "*",
"destinationAddressPrefix": "*"
}
},
{
"name": "AllowApplicationInbound",
"properties": {
"description": "Allow internal web traffic into application.",
"access": "Allow",
"direction": "Inbound",
"priority": 300,
"protocol": "Tcp",
"sourcePortRange": "*",
"sourceAddressPrefix": "10.0.0.0/8",
"destinationPortRange": "443",
"destinationAddressPrefix": "VirtualNetwork"
}
},
{
"name": "DenyAllInbound",
"properties": {
"description": "Deny all other inbound traffic.",
"access": "Deny",
"direction": "Inbound",
"priority": 4000,
"protocol": "*",
"sourcePortRange": "*",
"sourceAddressPrefix": "*",
"destinationPortRange": "*",
"destinationAddressPrefix": "*"
}
},
{
"name": "DenyTraversalOutbound",
"properties": {
"description": "Deny outbound double hop traversal.",
"access": "Deny",
"direction": "Outbound",
"priority": 200,
"protocol": "Tcp",
"sourcePortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "*",
"destinationPortRanges": [
"3389",
"22"
]
}
}
]
}
}
]
}
Notes#
This rule does not check if NSG names are unique.
If creating resources using CI/CD pipelines consider programmatically Generating Cloud Resource Names using PowerShell or Bicep
Links#
- OE:04 Continuous integration
- Naming rules and restrictions for Azure resources
- Recommended abbreviations for Azure resource types
- Parameters in Bicep
- Bicep functions
- Azure deployment reference