question

MohamedAshraf-0323 avatar image
0 Votes"
MohamedAshraf-0323 asked nbaz commented

which will override the other,Azure NSG on the subnet or NSG on the VM?

If I have NSG on the subnet and this subnet is associated with VM, and this VM also has its NSG.In this case which NSG will override the other?

azure-virtual-machines-networking
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MohamedAshraf-0323 Any updates on the issue?

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

0 Votes 0 ·

For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

 VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.


https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

0 Votes 0 ·
AndreasBaumgarten avatar image
2 Votes"
AndreasBaumgarten answered JessvinThomas-0268 commented

This is described here:

How traffic is evaluated


For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.


For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

Maybe this is helpful.

Regards

Andreas Baumgarten

(Please don't forget to Accept as answer if the reply is helpful)




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MoamenHany avatar image
2 Votes"
MoamenHany Suspended answered AndreasBaumgarten edited

The most restriction will be applied, as both will effects.

(Please don't forget to Accept as answer if the reply is helpful)
http://www.moamenhany.com

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is not correct according to the documentation:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

The documentation says:
For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

0 Votes 0 ·

Hi @JessvinThomas-0268 ·,

The statement of MoamenHany is correct.

You are describing the order how the NSGs will be applied. But MoamenHany explained the result after the NSGs (one or more) are applied: The most restricted rules will block or allow incoming or outgoing connections.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·