![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 30%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,602 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hi @Jamison Ballou
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
- Azure NSG use a priority system (100-4096) to determine which rule to apply when multiple rules could match incoming traffic. For your reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#:~:text=A%20number%20between,always%20processed%20first.
- When rules have close or identical priorities, and they overlap in their port/protocol definitions.
- Azure might reorder them during updates or deployments to maintain what it considers the most logical order based on its internal algorithms.
- This reordering is not always what you intended and can break your application connectivity.
- Instead of using 100, 101, 102, use 100, 200, 300 or even larger gaps. This leaves room for adding new rules in between without requiring a full renumbering of existing rules.
- Group similar rules together and assign them priorities within a certain range.
- If possible, define very specific source and destination IP ranges or ASGs in your rules. This reduces overlap and the chances of Azure reordering.
- Don't use "Any" for ports or protocols unless absolutely necessary. Be precise like TCP, UDP.
- A "Allow All" rule with a low priority can override your more specific rules, causing unintended behavior.
- ASGs allow you to group your VMs into logical units. You can then create NSG rules based on these ASGs. This makes your rules easier to manage and less prone to overlapping. For your reference: https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups#:~:text=Application%20security%20groups%20enable%20you%20to%20configure%20network%20security%20as%20a%20natural%20extension%20of%20an%20application%27s%20structure%2C%20allowing%20you%20to%20group%20virtual%20machines%20and%20define%20network%20security%20policies%20based%20on%20those%20groups.
Kindly let us know if the above helps or please let us know in the comments below if you need further assistance on this issue.
If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.
Thanks,
Sai.