question

FuzzyPrototype-2488 avatar image
0 Votes"
FuzzyPrototype-2488 asked ·

Inbound and Outbound NSG rules

Hi, I am using the Same NSG for 2 subnets, Subnet 1 has VM1, Subnet 2 has VM2. VM2 to VM1 outbound rule is by allowed by default NSG rule. I have created a custom rule which denies packets from VM2 to VM1 over http.

Here are the images of network watcher -

8823-vm2-to-vm1-outbound.png


8841-vm2-to-vm1-inbound-vm1-inbound.png



so, does vm2 send packets to vm1 and does vm1 accepts the packets from vm2? please help me understand this.

azure-network-watcher
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BIRENDRA avatar image
0 Votes"
BIRENDRA answered ·

NO i guess you made role Allowed http 10.0.1.5 to 10.0.0.5 "Subnet"

but traffic blocked 10.0.0.5 to 10.0.1.5 "Subnet"

might be default role still there on 10.0.0.1 Subnet

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered ·

What you are seeing is correct, and let me explain why.

NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without obstruction. NSGs will not end active TCP connections either.

Based upon what you have shown above. VM2 can establish a TCP connection on port 80 with VM1, but VM1 cannot establish a TCP connection on port 80 with VM2. When broken down further -> VM2 can view a website hosted on VM1, but VM1 cannot view a website hosted on VM2.

If you would like to block traffic between the VMs, you will need to deny both inbound and outbound traffic between the VMs.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.