question

PaweMczka-4999 avatar image
0 Votes"
PaweMczka-4999 asked ABDULWAHEED-1027 answered

outgoing traffic is blocked by incoming user deny rule

Using network security group on subnet level. By default almost everything is allowed so I've added few rules to allow incoming particular traffic ( see details below ) and added one rule above default rules to deny anything else...

96238-image.png


I observe real problems on applications level and checked the logs. I've noticed that the user deny rule blocks outgoing traffic.

Network 172 is destination ( outside Azure subnets )
Network 10.22.128 is Azure subnets

This behaviour is really bad and makes Network Security Groups useless:

96270-image.png


azure-virtual-network
image.png (68.4 KiB)
image.png (67.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered

@PaweMczka-4999,

Azure NSG is stateful which means inbound rules and outbound rules are processed separately. Can you also share me the complete tuple information? Source IP , destination IP, Destination port and protocol used along with the outbound ruleset info ?

Can you log into the VM and test it out whether the traffic is denied or allowed. Or you can use connection troubleshoot feature of Network Watcher to validate.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ABDULWAHEED-1027 avatar image
0 Votes"
ABDULWAHEED-1027 answered

In this particular case, log onto VM and use Test-netconnection DST -PORT xxx -Detailed information. this should give you an exact idea of what is happening.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.