question

maram-4701 avatar image
0 Votes"
maram-4701 asked ·

Incoming traffic TCP allowed in nsg and server firewall is getting blocked

I have enabled incoming TCP port 8080 via nsg config for my VM and the VM has firewalls enabled for the same port.

I can already see traffic is able to get in if source is in the same server.

But if source is external and access is via public IP the traffic is getting refused.

Can someone in azure support assist? Problem looks like it is in Azure net as localhost server access is fine.

my VM name is lamp01 and public ip 13.90.34.179

azure-virtual-network
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PritamGhatak-5879 avatar image
0 Votes"
PritamGhatak-5879 answered ·

Hi maram-4701,

could you please let me know what exactly NSG rule you have configured in Azure ? Also do you have any other Azure firewall in your environment ?

Thanks & Regards,
Pritam Ghatak (Prips)
 


Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-4701 avatar image
0 Votes"
maram-4701 answered ·

see here -
https://portal.azure.com/#@numaram88gmail.onmicrosoft.com/resource/subscriptions/9f81348a-0f71-4c47-a2fb-02b1caa43ded/resourceGroups/cloud_server/providers/Microsoft.Network/networkSecurityGroups/lamp01-nsg/overview

or screenshot:
https://imgur.com/a/QPdxVHx

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-4701 avatar image
0 Votes"
maram-4701 answered ·

Those things you ask, you can perhaps check directly yourself?

No, there is no Azure firewall in my environment

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-4701 avatar image
0 Votes"
maram-4701 answered ·

Those things you ask, you can perhaps check directly yourself?

No, there is no Azure firewall in my environment

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-4701 avatar image
0 Votes"
maram-4701 answered ·

Why no response from Azure support here?

Still hope to hear a response.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristopherHaehnel avatar image
0 Votes"
ChristopherHaehnel answered ·

Did you try to specify TCP Protocol, and Inbound from Inet? Maybe you already get a solution. Maybe you can tell us. Did you try to increase priority?

Regards Chris

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-4701 avatar image
0 Votes"
maram-4701 answered ·

Did you try to specify TCP Protocol, and Inbound from Inet?

Yes I have and I have provided a screenshot of my NSG settings: https://imgur.com/a/QPdxVHx


Maybe you already get a solution.

No. And there has not been any Azure support response.

Maybe you can tell us. Did you try to increase priority?

Yes. No effect.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered ·

As you have already stated, the main places for traffic to be blocked are NSGs, or a firewall on the VM. If you have additional parts to your network like an Azure Firewall, Load Balancer, or custom routes that might alter traffic, it can get more complicated. If you simply have a VM with a Public IP address, and no User Defined Routes that could alter the traffic, then it is being blocked by an NSG, or by the VM itself.

In situations like these, I like to double check everything. Lets start with NSGs:

In the NSG you provided a screenshot of 'lamp01-nsg', port 8080 to 8090 is allowed on any protocol. An outbound rule is not needed with TCP connectivity, so this NSG is not blocking the traffic.

NSGs can be applied to the NIC of a VM, and the subnet that the VM is in. Make sure that you do not also have an NSG on the subnet that is blocking the traffic.


Next, we need to check the machine itself to make sure that it is listening on port 8080. I assume with the 'lamp' name of your NSG, that you are using a Linux VM. I like to use 'netstat -tl' to output listening ports on the OS. Make sure that your VM is listening on port 8080.

Next, try to establish a connection. First, try from within the VM using CURL on the VM's private IP address. Next, try to connect from the same VNET via the private IP(If you have another VM running in the VNET), and last, try to connect from a computer outside the VNET via the public IP. Make sure you are connecting via port 8080. Depending upon where the failure occurs will give you additional information on where the block is occurring.

You can also try a TCP ping test, I like to use PSPING to check for TCP connectivity on an address. If you are able to establish external TCP connectivity but unable to get a website, it is likely a configuration issue with the web hosting software on your VM.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maram-1117 avatar image
0 Votes"
maram-1117 answered ·

As you have already stated, the main places for traffic to be blocked are NSGs, or a firewall on the VM. If you have additional parts to your network like an Azure Firewall, Load Balancer, or custom routes that might alter traffic, it can get more complicated. If you simply have a VM with a Public IP address, and no User Defined Routes that could alter the traffic, then it is being blocked by an NSG, or by the VM itself.

Ok

In situations like these, I like to double check everything. Lets start with NSGs:

Ok

In the NSG you provided a screenshot of 'lamp01-nsg', port 8080 to 8090 is allowed on any protocol. An outbound rule is not needed with TCP connectivity, so this NSG is not blocking the traffic.

Ok

NSGs can be applied to the NIC of a VM, and the subnet that the VM is in. Make sure that you do not also have an NSG on the subnet that is blocking the traffic.

I have not setup any additional NSGs


Next, we need to check the machine itself to make sure that it is listening on port 8080. I assume with the 'lamp' name of your NSG, that you are using a Linux VM. I like to use 'netstat -tl' to output listening ports on the OS. Make sure that your VM is listening on port 8080.

Yes it is. I have tested by using a local app to connect.

Next, try to establish a connection. First, try from within the VM using CURL on the VM's private IP address. Next, try to connect from the same VNET via the private IP(If you have another VM running in the VNET), and last, try to connect from a computer outside the VNET via the public IP. Make sure you are connecting via port 8080. Depending upon where the failure occurs will give you additional information on where the block is occurring.

I am able to connect to the machine via port 80 from a public source only port 8080 is not working.


You can also try a TCP ping test, I like to use PSPING to check for TCP connectivity on an address. If you are able to establish external TCP connectivity but unable to get a website, it is likely a configuration issue with the web hosting software on your VM.

From all information available, the issue seems to be with NSG rules and network of Azure. Everything else is correct but the NSG is not implementing the allow port 8080 rule correctly. Hopefully you can investigate this possibility.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

kanabis avatar image
0 Votes"
kanabis answered ·

Hi!

Try to run Network Watcher, IP Flow Verify blade.
55226-networkwatcher.png



networkwatcher.png (53.2 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.