question

haiqianz-8184 avatar image
0 Votes"
haiqianz-8184 asked haiqianz-8184 commented

Network security rule lost efficiency after VM recreation

I have a Network Interface with 2 inbound rules.
1. Allow ssh from my working station to the NIC on port 22. (AllowSSHRule) -------- Priority 100
2. Deny all inbound connection from any cidr on any port to any cidr on any port. (DenyAllInboundRule) ---------- Priority 1000

Then I create a virtual machine with the NIC attached. Everything works well. I can successfully ssh into the machine. But I fails to ssh into the machine after I delete the old machine and created a new one. I verified that's because the DenyAllInboundRule was preventing the connection.

The way to reproduce. (It's not guaranteed that this can be reproduced everytime. It's kind of flaky behavior)
1. Create VM and wait for creation to complete. Succeed to ssh into VM.
2. Delete old VM and wait for deletion to complete
3. Create new VM with the old NIC, old data disk, old SSH key, etc...
4. Wait for new VM creation to complete and try to ssh into VM. -------- Failed to ssh.
5. Delete the DenyAllInboundRule and try to ssh into VM. ----------- Succeeded to ssh.

I think there might be a possible reason:
1. When deleting the old VM, the NIC somehow was not fully attached to the VM. (Although I verified that the NIC was attached to the VM through Azure protal and az vm instance view)

azure-virtual-machines
· 14
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@haiqianz-8184 Thank you for your patience over the matter. I will reproduce the issue and will keep you posted once I have an update. Thanks

0 Votes 0 ·

Good day @haiqianz-8184 ,

Sry for the late response. Are you still with us or did you solve the issue?

I tried to reproduce the issue without success. All worked for me well. With that being said, your procedure to preproduce the issue is lake of a lot of information and not well describe. Can you try to add screenshot or/and give more information, even if seems irrelevant. For example, what operating system did you use for the VMs (first and second)? Did you only used the data disk as second disk or as the os disk (on second VM)? Did you tries to create a new VM (without using the same disk) and check if this works for you?

In first glance I do not see how the Network security rule related to this procedure as this rule is not for specific VM. Please try to create a second machine in the same network before you delete the first one, and confirm that the rules work for it well.


0 Votes 0 ·

If you can add the information of the summery when you create the first and second VM, then this might help

0 Votes 0 ·

Hi

Thanks you for the update. Some details on the process how I delete and recreate the VM.

  1. I used the ephemeral disk as the os disk. I use a separate managed disk as the data disk.

  2. I firstly delete the old VM and wait until the old VM to be absolutely deleted. (The indication of "absolutely deleted" is that I get a "nil" object/get a "Not found" error when try to get the VM using SDK.)

  3. When the old VM is absolutely deleted, I create a VM with the same name and with the same NIC and same data Disk attached.


0 Votes 0 ·

I lost the broken VM previously. Let me try to reproduce again.

0 Votes 0 ·
Show more comments

0 Answers