question

AndrewMartin-2860 avatar image
0 Votes"
AndrewMartin-2860 asked ·

Multiple public ips azure with seperate inbound rules

I have a virtual machine running in azure which i have recently added a second public ip to. Both the primary and secondary ip are associated to one nic on the vm. I would like to create seperate inbound rules per public ip however, as it appears any rule i make to one public ip, copies to the other. The reason to split up is because an external source ip will be communicating with both of the public ip's dependant on a service, can anyone share if its feasible to split out rules?9

azure-virtual-network
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephaneBudo avatar image
0 Votes"
StephaneBudo answered ·

Hi Andrew,

When you create your NSG rule, have you tried to set the "destination" IP to the specific public IP you are targeting?
If this doesn't work at the NIC level, try to apply it at the subnet level (NSG).

Cheers,
Stephane

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Stephane
Thanks for the quick reply
At present I have a rule set from the specific source ip set to ‘any’. Because I now have 2 public ip’s, both of which need to accept traffic from this source ip, my understanding is if I set a specific destination IP, then this would force all traffic from the source to this specific IP each time as it copies the same rule to both public ip’s. If I was able to input separate rules per public ip without them copying to each other, I could route the traffic based on which public ip traffic came in on.
Unsure on the subnet section you mention, the rules only seem to be applied within the nic setttings?

0 Votes 0 ·

Hey Andrew,
Just setting this up in my lab to get some testing, but two questions came to mind:

  • Are the ports being used different? (for example, you'd want to open 443 on one IP and 80 on the other?) or are they the same ports?

  • Will the source IPs be "Any" or be a specific list of public IP addresses that will be the same no matter which destination IP is reached?






0 Votes 0 ·
StephaneBudo avatar image
0 Votes"
StephaneBudo answered ·

So, I think the best way to achieve this would be to:

  • Assign two private IPs on the NIC, with a separate public IP associated with each private IP (see first screenshot below).

  • From there, you can create your NSG rules targeting the private IP in the destination. What ports or sources won't matter because you are targeting destination IP (see second screenshot with an example of NSG)
    In the NSG example below, any source would be able to access HTTPS on each IPs separately. You can change these rules with other ports or specific IPs in the sources.

Note that the NSGs does not "direct" traffic, but instead allow or block traffic based on a set of conditions that are evaluated sequentially. The traffic is directed to one interface or the other based on the NAT used with the associated public IP address.


IP Configuration example
8791-nsg1.png

NSG rules example
8763-nsg2.png



nsg1.png (87.1 KiB)
nsg2.png (151.6 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.