diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
index 62f6373b485..d4aa500b572 100644
--- a/api/v1beta1/types.go
+++ b/api/v1beta1/types.go
@@ -270,6 +270,17 @@ const (
 	SecurityRuleDirectionOutbound = SecurityRuleDirection("Outbound")
 )
 
+// SecurityRuleAction defines the action type for a security group rule.
+type SecurityRuleAction string
+
+const (
+	// SecurityRuleActionAllow allows traffic defined in the rule.
+	SecurityRuleActionAllow = SecurityRuleAction("Allow")
+
+	// SecurityRuleActionDeny denies traffic defined in the rule.
+	SecurityRuleActionDeny = SecurityRuleAction("Deny")
+)
+
 // SecurityRule defines an Azure security rule for security groups.
 type SecurityRule struct {
 	// Name is a unique name within the network security group.
@@ -297,6 +308,9 @@ type SecurityRule struct {
 	// Destination is the destination address prefix. CIDR or destination IP range. Asterix '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.
 	// +optional
 	Destination *string `json:"destination,omitempty"`
+	// Action specifies whether network traffic is allowed or denied. "Allow" or "Deny".
+	// +kubebuilder:validation:Enum=Allow;Deny
+	Action SecurityRuleAction `json:"action"`
 }
 
 // SecurityRules is a slice of Azure security rules for security groups.