Can not create Network Security Groups inbound rules for my VM

Question

Can not create Network Security Groups inbound rules for my VM

Isaac 10

I have only one NSG and no rules inside. So it's definitely impossible for my NSG to exceed the amount limit of NSG rules.

When I'm trying to create an inbound rule to open a port on my Virtual Machine, it tells me failed to create security rule. When I'm further checking in the activity logs under monitor, it shows the following:

   <h2>Bad Request - Request Too Long</h2> <hr><p>HTTP Error 400. The size of the request headers is too long.</p>

I don't know what is going on. I tried to re-login, I tried to clear the cookie and cache, and even used another browser. I tried to use the developer tool to look at the header and it seems like the auth token is extremely large. I calculated the length of the encoded token and its 13582 characters. I don't know if this is related, but I don't think the Bearer token is something I can control. Can somebody help me on this?

1 answer

Your answer

Answer 1

Andreas Baumgarten 126K MVP Volunteer Moderator

Hi @Isaac ,

the error message showed up in July 2025 when creating NSGs via Azure Portal already.

Is there a new problem on updating NSG in Azure web portal? Been fine for years ..

Clearing the browser cache sometimes helped. But you already tried different browsers.

Maybe it's an option and workaround to create the NSG rule via AZ CLI?

If so please take a look here: az network nsg rule

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Isaac 10

Thanks for your answer! However, I tried in CLI and I think it also returns the same error...

$ az network nsg rule create \
--resource-group rg \
--nsg-name nsg-name \
--name AllowSSH \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes '*' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 22

Operation returned an invalid status 'Bad Request'

Andreas Baumgarten 126K Reputation points MVP Volunteer Moderator

2025-08-16T17:32:37.1733333+00:00

Hi @Isaac ,

the NSG is created just now? Or does the NSG exist a longer time?

In which Azure region the NSG is deployed?

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Isaac 10 Reputation points

2025-08-16T20:01:46.1533333+00:00

Hi, the NSG is deployed in East US (Zone 2).

The NSG is created with my VM which is created 7 days ago. I also tried to create a brand-new NSG and tried to create one inbound rule inside the new group, and that also failed.
Andreas Baumgarten 126K Reputation points MVP Volunteer Moderator

2025-08-16T20:49:29.9766667+00:00

Hi @Isaac ,

I just created a new NSG in region East US 2 and I was able to add a new inbound rule to allow 22 SSH.

Could you please create a new user and add the new user to the owner role of your Azure subscription.

Login with the new user and give it another try with a new NSG and a new inbound rule.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-19T12:53:39.6933333+00:00

Hello Isaac

I see Andreas Baumgarten has addressed your queries.

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back.

If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-20T10:23:48.3066667+00:00

Hello Isaac

I see Andreas Baumgarten has addressed your queries.

Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back.

If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

Ferenc Kis 0

Hello.

I'm facing the same issue. I just created a virtual machine, witch created the nsg. I wanted to add a rule but got the same error on the azure portal and also CLI.
Tried to clear the browser data also (cookies, local storage).

Here is what I can see about the request when I add --debug flag to the cli command:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/*******/resourceGroups/*******/providers/Microsoft.Network/networkSecurityGroups/*******/securityRules/r1?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '240'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '********'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network nsg rule create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--resource-group --nsg-name --name --priority --direction --access --protocol --source-address-prefixes --source-port-ranges --destination-address-prefixes --destination-port-ranges --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.76.0 (MSI) azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.26100-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"name": "r1", "properties": {"access": "Allow", "destinationAddressPrefix": "*", "destinationPortRange": "6333", "direction": "Inbound", "priority": 300, "protocol": "Tcp", "sourceAddressPrefix": "***.***.***.***", "sourcePortRange": "*"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/*******/resourceGroups/********/providers/Microsoft.Network/networkSecurityGroups/********/securityRules/r1?api-version=2022-01-01 HTTP/1.1" 400 346
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '346'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'text/html; charset=us-ascii'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-operation-identifier': 'tenantId=********,objectId=********/northeurope/********'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '********'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '********'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'NORTHEUROPE:*******'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: ******** Ref B: ******* Ref C: 2025-08-28T19:10:51Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 28 Aug 2025 19:10:50 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Request Too Long</h2>
<hr><p>HTTP Error 400. The size of the request headers is too long.</p>
</BODY></HTML>

Share via

Can not create Network Security Groups inbound rules for my VM

1 answer

Your answer