NSG Rule Change Alerting

ARM (Azure Resource Manager) already allows you to setup email alerts to let you know when a new NSG (Network Security Group) is added or removed. At present, there’s no native way to alert on changes to rules on the NSG itself. This blog covers how to work around this so that you know when a rule is added, changed or removed via an automated email.

How do I set this up?

Head over to the Azure Monitor services and create an activity log alert. You’ll notice that the default options in relation to NSG’s only allow adding and removal of the objects themselves. We need to create two things, a PowerShell script and an “Action Group” (to receive the email). Both things are easier to setup if they are in their own RG (Resource Group) to be targeted.


Step 1 – Action Group

  • In the portal, navigate to the Monitor service (see image);


  • Click the Monitor option to open up the Monitor blade. This blade brings together all your monitoring settings and data into one consolidated view. It first opens to the Activity log section.
  • Now click on Action groups section


  • Click on the Add action group command and fill in the fields


  • Provide a Name and Short Name for the action group; The Short Name will be referenced in notifications sent to this group


  • The Subscription is the one the Action group will be saved in. It will be auto filled to the subscription you are currently operating under.
  • Choose the Resource Group this alert will be associated with in the Subscription.
  • Then, define a list of actions through a combination of:
  1. Name: A unique identifier within the action group.
  2. Action Type: This defines the action that will be performed. Options are send SMS, send Email, or call a Webhook.
  3. Details: Based on the action type, the corresponding phone number, email address or webhook URI needs to be provided.
  • Select OK when done to create the action group.

Step Two – ARM Template

sample ARM script to create an Activity Log alert using ARM is available here – https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-create-activity-log-alerts-with-resource-manager-template

Out of the base ARM template present in above link, we need to replace the “operationName” for our NSG rules Write operation as shown below;


Now go to ‘templates’ and add a new one, call it something that makes sense such as ‘NSGAlerting’. Copy the ARM template (modified copy of the PowerShell text from the link above) and save the template. Now you can click on the ‘deploy’ button and point it at your dedicated RG. Make sure you modify the security rule of your NSG to trigger a test email.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s