question

kumarkaushal-1277 avatar image
0 Votes"
kumarkaushal-1277 asked suvasara-MSFT answered

Question on NSG rule ->Allow

I have some questions on the below NSG outbound rules and need help

65001 AllowInternetOutBound Any Any Any Internet Allow

65500 DenyAllOutBound Any Any Any Any Deny

a) 65001 says that if your source is 0.0.0.0/0 and sending a communication to Internet it should be allowed . Am i correct ? The question i have here is : How the machine takes a call that the traffic is indeed for internet and that Outbound Rule has to come to play ? My understanding is it checks the Ip and says Hey this does not belongs to this subnet and it should be routed to internet .

b) 65500 Any port to any port source and destination is denied .

Why i am asking this question is because :

I created 2 VM's one in Central US and the other in West US. Different subnets and same NSG configuration with port 80 being allowed for Inbound Rules.. When i run network watcher Ip flow verify for inbound between VM1 and VM2 on port 80 it is successfull as inbound is allowed .

But if i do a Outbound check for source VM1 and source VM2 on port 80 i fail

Access denied
Security rule
DenyAllOutBound


Questions 2 : If i have an azure VM and i need to do a telnet or reach an application on an onpremise VM which is listening on PORT 80 ..

Is that i have to allow port80 in outbound rules ? What i am finding is that when i do a telnet <onpremiseVMname> 80 from Azure VM i am able to connect . That tells me that it is going via the internet . Am i correct ?AllowInternetOutBound is followed in this case.


I have just confused here that : If i create 2 VMs in azure in two different locations .. and then do a outbound test with network watcher Ipflow verify on port 80 it fails but if i do a telnet to my on premise VM from azure VM it connects to port 80 Why ?????

azure-virtual-networkazure-network-watcher
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

suvasara-MSFT avatar image
1 Vote"
suvasara-MSFT answered

@kumarkaushal-1277, In Azure, NSG's are proactive in learning to and fro flows. You may not create two security rules with the same priority and direction. A flow record is created for existing connections.
Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful.
If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

Do provide your NSG rule SS for providing better insights. Also, there should not be any issue with traffic flows if you have an NSG like specified below,

131821-image.png

Note: Make sure you have this rule unaltered in the outbound rule section,

65001 AllowInternetOutBound Any Any Any Internet Allow



Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.




image.png (46.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.