diff --git a/package/cloudshell/cp/azure/domain/services/network_service.py b/package/cloudshell/cp/azure/domain/services/network_service.py
index f1986e6d..4fbb364b 100644
--- a/package/cloudshell/cp/azure/domain/services/network_service.py
+++ b/package/cloudshell/cp/azure/domain/services/network_service.py
@@ -1,7 +1,8 @@
 import time
 
 import azure
-from azure.mgmt.network.models import NetworkInterface, NetworkInterfaceIPConfiguration, VirtualNetwork, RouteTable, Route
+from azure.mgmt.network.models import NetworkInterface, NetworkInterfaceIPConfiguration, VirtualNetwork, RouteTable, \
+    Route
 from retrying import retry
 
 from cloudshell.cp.azure.common.helpers.ip_allocation_helper import is_static_allocation, to_azure_type
@@ -117,7 +118,8 @@ def create_network_for_vm(self,
 
     @retry(stop_max_attempt_number=5, wait_fixed=2000, retry_on_exception=retry_if_connection_error)
     def create_nic(self, interface_name, group_name, network_client, public_ip_address, region,
-                   subnet, private_ip_allocation_method, tags, logger, reservation_id, cloudshell_session, network_security_group=None):
+                   subnet, private_ip_allocation_method, tags, logger, reservation_id, cloudshell_session,
+                   network_security_group=None):
         """
         The method creates or updates network interface.
         Parameter
@@ -444,3 +446,28 @@ def get_virtual_network_by_tag(self, virtual_networks, tag_key, tag_value):
                      if network and self.tags_service.try_find_tag(
             tags_list=network.tags, tag_key=tag_key) == tag_value),
                     None)
+
+    @retry(stop_max_attempt_number=5, wait_fixed=2000, retry_on_exception=retry_if_connection_error)
+    def delete_nsg_artifacts_associated_with_vm(self, network_client, resource_group_name, vm_name):
+        """
+        :param azure.mgmt.network.network_management_client.NetworkManagementClient network_client:
+        :param str resource_group_name:
+        :param str vm_name:
+        """
+
+        network_security_groups = network_client.network_security_groups.list(resource_group_name)
+        for nsg in network_security_groups:
+            if vm_name in nsg.name:
+                # rollback vm nsg
+                poller = network_client.network_security_groups.delete(resource_group_name,
+                                                                       nsg.name)
+                poller.wait()
+
+            if 'sandbox_all_subnets' in nsg.name:
+                for rule in nsg.security_rules:
+                    if vm_name in rule.name:
+                        # rollback inbound ports
+                        poller = network_client.security_rules.delete(resource_group_name,
+                                                                      nsg.name,
+                                                                      rule.name)
+                        poller.wait()
diff --git a/package/cloudshell/cp/azure/domain/vm_management/operations/deploy_operation.py b/package/cloudshell/cp/azure/domain/vm_management/operations/deploy_operation.py
index bfae522f..5bedac88 100644
--- a/package/cloudshell/cp/azure/domain/vm_management/operations/deploy_operation.py
+++ b/package/cloudshell/cp/azure/domain/vm_management/operations/deploy_operation.py
@@ -458,6 +458,11 @@ def _rollback_deployed_resources(self, logger, compute_client, network_client, g
             except:
                 logger.exception('Failed to released ips from pool')
 
+        self.network_service.delete_nsg_artifacts_associated_with_vm(
+            network_client=network_client,
+            resource_group_name=group_name,
+            vm_name=vm_name)
+
     def _get_public_ip_address(self, network_client, azure_vm_deployment_model, group_name, ip_name,
                                cancellation_context, logger):
         """