Ability to create source/destination objects containing multiple IP addresses/ranges
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

Custom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
3 comments
-
Alexei Andreyev commented
How feasible would it be to use VM compute metadata to reference specific tags in NSG rules? AWS has something like this and it would be great to be able to manage NSG source/destination dynamically using VM metadata or some sort of resource manager group resource. Automatic scaling of server groups would be a lot easier if NSGs could be modified via this route.
-
Alexei Andreyev commented
This would be hugely useful in more complex deployments where grouping src/dst addresses and ports into objects is a must-have feature.
-
Shuhei Uda commented
In addition to IP address, we want an ability to designate muliple Ports.