Skip to content

Network Security Groups must use standard naming#

Operational Excellence · Network Security Group · Rule · 2025_06 · Awareness

Network security group (NSG) without a standard naming convention may be difficult to identify and manage.

Description#

An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, and minimize the risk of human error.

Some of the benefits of using standardized tagging and naming conventions are:

  • They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs.
  • They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes.
  • They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery.

For example, if you come upon a security incident, it's critical to quickly identify affected systems, the functions that those systems support, and the potential business impact.

For NSGs, the Cloud Adoption Framework (CAF) recommends using the nsg- prefix.

Requirements for NSG names:

  • At least 1 character, but no more than 80.
  • Can include alphanumeric, underscore, hyphen, period characters.
  • Can only start with a letter or number, and end with a letter, number or underscore.
  • NSG names must be unique within a resource group.

Recommendation#

Consider creating NSGs with a standard name. Additionally consider using Azure Policy to only permit creation using a standard naming convention.

Examples#

Configure with Bicep#

To deploy Network Security Groups that pass this rule:

  • Set the name property to a string that matches the naming requirements.
  • Optionally, consider constraining name parameters with minLength and maxLength attributes.

For example:

Azure Bicep snippet
@minLength(1)
@maxLength(80)
@description('The name of the resource.')
param name string

@description('The location resources will be deployed.')
param location string = resourceGroup().location

resource nsg 'Microsoft.Network/networkSecurityGroups@2024-05-01' = {
  name: name
  location: location
  properties: {
    securityRules: [
      {
        name: 'AllowLoadBalancerHealthInbound'
        properties: {
          description: 'Allow inbound Azure Load Balancer health check.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 100
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: 'AzureLoadBalancer'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'AllowApplicationInbound'
        properties: {
          description: 'Allow internal web traffic into application.'
          access: 'Allow'
          direction: 'Inbound'
          priority: 300
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: '10.0.0.0/8'
          destinationPortRange: '443'
          destinationAddressPrefix: 'VirtualNetwork'
        }
      }
      {
        name: 'DenyAllInbound'
        properties: {
          description: 'Deny all other inbound traffic.'
          access: 'Deny'
          direction: 'Inbound'
          priority: 4000
          protocol: '*'
          sourcePortRange: '*'
          sourceAddressPrefix: '*'
          destinationPortRange: '*'
          destinationAddressPrefix: '*'
        }
      }
      {
        name: 'DenyTraversalOutbound'
        properties: {
          description: 'Deny outbound double hop traversal.'
          access: 'Deny'
          direction: 'Outbound'
          priority: 200
          protocol: 'Tcp'
          sourcePortRange: '*'
          sourceAddressPrefix: 'VirtualNetwork'
          destinationAddressPrefix: '*'
          destinationPortRanges: [
            '3389'
            '22'
          ]
        }
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/network-security-group:<version>

To use the latest version:

br/public:avm/res/network/network-security-group:0.5.1

Configure with Azure template#

To deploy Network Security Groups that pass this rule:

  • Set the name property to a string that matches the naming requirements.
  • Optionally, consider constraining name parameters with minLength and maxLength attributes.

For example:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.34.44.8038",
      "templateHash": "3901699113779854347"
    }
  },
  "parameters": {
    "name": {
      "type": "string",
      "minLength": 1,
      "maxLength": 80,
      "metadata": {
        "description": "The name of the resource."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location resources will be deployed."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2024-05-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "AllowLoadBalancerHealthInbound",
            "properties": {
              "description": "Allow inbound Azure Load Balancer health check.",
              "access": "Allow",
              "direction": "Inbound",
              "priority": 100,
              "protocol": "*",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "AzureLoadBalancer",
              "destinationPortRange": "*",
              "destinationAddressPrefix": "*"
            }
          },
          {
            "name": "AllowApplicationInbound",
            "properties": {
              "description": "Allow internal web traffic into application.",
              "access": "Allow",
              "direction": "Inbound",
              "priority": 300,
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "10.0.0.0/8",
              "destinationPortRange": "443",
              "destinationAddressPrefix": "VirtualNetwork"
            }
          },
          {
            "name": "DenyAllInbound",
            "properties": {
              "description": "Deny all other inbound traffic.",
              "access": "Deny",
              "direction": "Inbound",
              "priority": 4000,
              "protocol": "*",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "*",
              "destinationPortRange": "*",
              "destinationAddressPrefix": "*"
            }
          },
          {
            "name": "DenyTraversalOutbound",
            "properties": {
              "description": "Deny outbound double hop traversal.",
              "access": "Deny",
              "direction": "Outbound",
              "priority": 200,
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "sourceAddressPrefix": "VirtualNetwork",
              "destinationAddressPrefix": "*",
              "destinationPortRanges": [
                "3389",
                "22"
              ]
            }
          }
        ]
      }
    }
  ]
}

Notes#

This rule does not check if NSG names are unique.

Rule configuration#

AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT

To configure this rule set the AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT configuration value to a regular expression that matches the required format.

For example:

configuration:
  AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-'

Comments