NSG - Network security group - How to block traffic

Amol Admin account 11

Hi,

I have a virtual network and subnet 10.185.23.0/24 in it.

There is VM with IP 10.185.23.4.

We have domain controllers in seperate Vnet and subnet 10.185.4.0/26.

I want to block any outgoing traffic towards one of the domain controller 10.185.4.7 from this VM (23.4). For testing using rule for 1 domain controller for now.

Created NSG as below.

inbound

outbound

However i can still do connect on port 53 from test VM to 10.185.4.7. Also Network Watcher shows connectivity Successful. Somehow i am not able to overwrite allvnetoutbound rule which maybe causing all traffic to allow. i read multiple articles but not any is clear on stateless or stateful and how to achive this.

Our goal is to isolate this subnet from reaching to domain controllers.

TP 76,686 Reputation points

2024-03-01T15:05:37.1533333+00:00

Hi,

On the Subnets blade of the NSG, please confirm that it is Associated with the subnet for VM 10.185.23.4.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Amol Admin account 11 Reputation points

2024-03-01T15:09:06.17+00:00

Yes. It is attached to subnet.
TP 76,686 Reputation points

2024-03-01T16:05:32.42+00:00

What technique are you using to verify that you can/cannot connect to the DNS server on 10.185.4.7? As you described your configuration here, it appears correct and will achieve your goal.

To that end I did quick test whereby I create two separate vnets/subnets, peered them, created nsg with outbound rule similar to yours, and when I do nslookup the connection to the dns server is blocked. If I disassociate the nsg and test again, the connection succeeds.

Also test using telnet to port 53 with same results.

How are your two vnets connected to each other?
TP 76,686 Reputation points

2024-03-01T17:09:27.2533333+00:00

@Amol Admin account For reference, below screenshot shows how I am testing the blocking. For UDP, I used nslookup and for TCP, I used telnet
TP 76,686 Reputation points

2024-03-02T01:18:15.9433333+00:00

@Amol Admin account Please navigate to the source VM, Connection troubleshoot blade, and run diagnostic similar to below, then post results:

Below are results for my test. Notice it is being blocked by the NSG (as expected), and if I click See details I can see the rule I created is blocking:

What are you seeing?

1 answer

Amol Admin account 11 Reputation points

2024-03-02T07:49:24.6366667+00:00

Thanks TP for your help. Really appreciate. See our architecture is hub and spoke. hub is transit vnet where we have azure firewall. so next hop for all vnets in configured as AZ FW using routing table.

Also, i built new test VM in same subnet for testing today. same result. see screens of network watcher and our architecture.
Please sign in to rate this answer.
TP 76,686 Reputation points

2024-03-04T07:19:35.21+00:00

Hi, I changed my test environment to hub and spoke with 3 vnets and azure firewall in the hub. Same results--DNS is blocked by the NSG.

Amol Admin account 11 Reputation points

2024-03-04T11:30:16.47+00:00

Our env has configured with routing tables on Vnets. Default route 0.0/0 is pointing to azure firewall. it seems this is creating a problem for us. However if i put the inbound nsg rule on Target (DNS) server, it is working to block the dns traffic from this test VM. I am in communicating with microsoft also with a ticket.

ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee

2024-03-06T23:32:46.69+00:00

@Amol Admin account Thank you for reaching out. I understand you have a support ticket open here. I have made a private message here requesting you to share the support ticket with us for tracking purposes. Thank you!
Sign in to comment