Question on NSG rule ->Allow

kumar kaushal 176 Reputation points
2021-09-13T23:39:01.543+00:00

I have some questions on the below NSG outbound rules and need help

65001 AllowInternetOutBound Any Any Any Internet Allow

65500 DenyAllOutBound Any Any Any Any Deny

a) 65001 says that if your source is 0.0.0.0/0 and sending a communication to Internet it should be allowed . Am i correct ? The question i have here is : How the machine takes a call that the traffic is indeed for internet and that Outbound Rule has to come to play ? My understanding is it checks the Ip and says Hey this does not belongs to this subnet and it should be routed to internet .

b) 65500 Any port to any port source and destination is denied .

Why i am asking this question is because :

I created 2 VM's one in Central US and the other in West US. Different subnets and same NSG configuration with port 80 being allowed for Inbound Rules.. When i run network watcher Ip flow verify for inbound between VM1 and VM2 on port 80 it is successfull as inbound is allowed .

But if i do a Outbound check for source VM1 and source VM2 on port 80 i fail

Access denied
Security rule
DenyAllOutBound

Questions 2 : If i have an azure VM and i need to do a telnet or reach an application on an onpremise VM which is listening on PORT 80 ..

Is that i have to allow port80 in outbound rules ? What i am finding is that when i do a telnet <onpremiseVMname> 80 from Azure VM i am able to connect . That tells me that it is going via the internet . Am i correct ?AllowInternetOutBound is followed in this case.

I have just confused here that : If i create 2 VMs in azure in two different locations .. and then do a outbound test with network watcher Ipflow verify on port 80 it fails but if i do a telnet to my on premise VM from azure VM it connects to port 80 Why ?????

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,140 questions
Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
157 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suvasara-MSFT 10,001 Reputation points
    2021-09-14T05:10:10.163+00:00

    @kumar kaushal , In Azure, NSG's are proactive in learning to and fro flows. You may not create two security rules with the same priority and direction. A flow record is created for existing connections.
    Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful.
    If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

    Do provide your NSG rule SS for providing better insights. Also, there should not be any issue with traffic flows if you have an NSG like specified below,

    131821-image.png

    Note: Make sure you have this rule unaltered in the outbound rule section,

    65001 AllowInternetOutBound Any Any Any Internet Allow

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
    0 comments