question

BenHodges-7964 avatar image
BenHodges-7964 asked ·

Azure NSG's do not work

Hi,

I have been working with Azure for some time now and have noticed that setting up NSG's are pointless because they don't do anything.

For example, i'll setup rules to open certain ports and they don't take any effect. To prove this right i then remote onto the server and open the port from within the advanced firewall settings and it works straight away.

Please tell me why Azure NSG's do not work?

This isn't the only thing I've noticed that doesn't work in azure. I've noticed that without a virtual appliance you also can't use the azure route table resource. If you try to route through anything other than a VA it fails.

if someone could look into this problems and tell me why these key features aren't working that would be great.

thanks
Ben

not-supported
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Ben,

Are you having issues with NSG's with DevTest Labs or Network Security Groups in general? If this is a general question about NSG's, then you may want to post on the related MSDN forum as that product has not yet made the move to Q&A. That way employees and community members with expertise in that area will have an easier time finding your question.

https://social.msdn.microsoft.com/Forums/en-US/home?forum=WAVirtualMachinesVirtualNetwork&filter=alltypes&sort=lastpostdesc

0 Votes 0 · ·
msrini-MSFT avatar image
msrini-MSFT answered ·

Hi,

Validate the below steps:

  1. Make sure you associate the NSG to the NIC or subnet. Only when it is associated, it will work as you expect

  2. Make sure you have Source IP as ANY in the rules.


If the above mentioned items are configured correctly, then post the screenshot of the NSG here.



Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jeromeecho avatar image
jeromeecho answered ·

NSG is not used to open the port within the server.
OS level port control is done by firewall inside the OS. NSG defines the inbound and outbound rule.
you can also refer the below article for more about NSG explanation.
https://leandrowp.blog/2019/02/07/azure-network-security-group-do-i-need-to-set-an-inbound-or-outbound-rule/
i hope that helps.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

azurestacknerd avatar image
azurestacknerd answered ·

Hi Ben,

I barely use NSG's on NICs, but only on Subnets.

Keep in mind that all VNET-to-the-same-VNET traffic is default ALLOWED by the default rules. If you want to restrict traffic from one subnet to another subnet in the same VNET you should insert a NEW rule above the default rules (eg. priority 4000) to DENY all traffic from the complete address space from the VNET.

After which you can ALLOW traffic from 1 subnet to the other by creating a new rule (with priority 200) . eg: Front-Ends-SN to DB-SN.

Hope this helps and is relatable to your situation.

KR

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.