This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 42%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
How can I add a inbound rule to NSG of VMSS, attached to network Interface via ARM template?
Hi @Aditya Pai
You can add an inbound rule to the network security group (NSG) of a virtual machine scale set (VMSS) by using an ARM template. Here is an example of how to add an inbound rule to the NSG of a VMSS attached to a network interface via ARM template:
{
"apiVersion": "2018-06-01",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"name": "[concat(parameters('nsgName'), '/', parameters('ruleName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('nsgName'))]"
],
"properties": {
"protocol": "[parameters('protocol')]",
"sourcePortRange": "*",
"destinationPortRange": "[parameters('destinationPortRange')]",
"sourceAddressPrefix": "[parameters('sourceAddressPrefix')]",
"destinationAddressPrefix": "[parameters('destinationAddressPrefix')]",
"access": "[parameters('access')]",
"priority": "[parameters('priority')]",
"direction": "[parameters('direction')]"
}
}
In this example, you need to provide the following parameters:
nsgName: The name of the NSG.ruleName: The name of the rule you want to create.location: The location of the NSG.protocol: The protocol of the rule (TCP, UDP, or *).destinationPortRange: The destination port range of the rule.sourceAddressPrefix: The source address prefix of the rule.destinationAddressPrefix: The destination address prefix of the rule.access: The access of the rule (Allow or Deny).priority: The priority of the rule.direction: The direction of the rule (Inbound or Outbound).You can use this template to add an inbound rule to the NSG of a VMSS attached to a network interface.
Hope this helps!
If I have answered your query, please click "Accept as answer" as a token of appreciation
{
"name": "agentpool",
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"count": "[parameters('agentCount')]",
"enableAutoScaling": true,
"vmsize": "[parameters('agentpoolVmSize')]",
"osType": "Linux",
"osSKU": "Ubuntu",
"minCount": "[parameters('minCount')]",
"maxCount": "[parameters('maxCount')]",
"type": "VirtualMachineScaleSets",
"mode": "System",
"maxPods": 110,
"availabilityZones": [],
"nodeLabels": {},
"enableNodePublicIP": true,
"tags": {},
"vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('aksSubnetName'))]"
},
As i am already creating a agentpool node and whatever script you provided is creating one more nsg and not adding rule to the exsisting one .
I am creating a managed cluster and 2 nodes agentpool and gpunode, from ARM Template,
I want to allow certain ports in agentpool node.How can i proceed?
Hi Aditya Pai
To add an inbound rule to the NSG of a VMSS, you can use the Microsoft.Network/networkSecurityGroups resource type in your ARM template. Here are the steps to add an inbound rule to the NSG:
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-02-01",
"name": "[variables('nsgName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "allow-8080",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "8080",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
}
]
}
}
Replace variables('nsgName') with the name of your NSG, and 8080 with the port number you want to allow traffic on. You can also customize the rule name, priority, and direction as needed.
Repeat step 2 for each port you want to allow traffic on.
Once you have added the inbound security rules to the NSG, they will take effect immediately and allow traffic on the specified port(s) to your VMSS instances.
I hope this helps! Let me know if you have any further question
Hi @Prrudram-MSFT ,We are deploying managedCluster from ARM template, inside a AKS subnet.
There are 2 nodes we are deploying in the cluster.
1.Agentpool
2.GPUnode
When we are deploying, agentpool-vmss is having 2 NSGs,one is with subnet-level and one is which is attached to network interface.
As the one with subnet level,we have allowed couple of ports.
But the nsg attached to network interface we are not able to allow ports.
As assuming we will not be having that nsgname which is attached to networkInterface and it will be created dynamically,how can we allow ports on that agentpool level.
Also,
The snippet you provided is in resource section and one more nsg will be created over it,
and that nsg will not be useful, as i am facing issue on nsg attached to NetworkInterface of VMSS.
Looking forward to hear from you.Help us out on how we can proceed.
If I'm wrong please correct,and provide a valid solution which will help.
Hello Aditya Pai
I will have to test this scenario to get the exact workflow, It will take sometime for me to get back. In the interim, If you would like and be able to reach out support to know if there is any existing template that they can help with that might help you get going faster. I looked up didn't find any.
Sure will look into it,Thanks
Thanks