Azure NSG's do not work

Ben Hodges 1 Reputation point
2020-02-17T16:31:23.833+00:00

Hi,

I have been working with Azure for some time now and have noticed that setting up NSG's are pointless because they don't do anything.

For example, i'll setup rules to open certain ports and they don't take any effect. To prove this right i then remote onto the server and open the port from within the advanced firewall settings and it works straight away.

Please tell me why Azure NSG's do not work?

This isn't the only thing I've noticed that doesn't work in azure. I've noticed that without a virtual appliance you also can't use the azure route table resource. If you try to route through anything other than a VA it fails.

if someone could look into this problems and tell me why these key features aren't working that would be great.

thanks
Ben

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,513 questions
{count} votes

3 answers

Sort by: Most helpful
  1. msrini-MSFT 9,251 Reputation points Microsoft Employee
    2020-03-04T05:58:09.68+00:00

    Hi,

    Validate the below steps:

    1. Make sure you associate the NSG to the NIC or subnet. Only when it is associated, it will work as you expect
    2. Make sure you have Source IP as ANY in the rules.

    If the above mentioned items are configured correctly, then post the screenshot of the NSG here.

    0 comments No comments

  2. Hongliang Zhao 1 Reputation point Microsoft Employee
    2020-03-04T07:18:31.103+00:00

    NSG is not used to open the port within the server.
    OS level port control is done by firewall inside the OS. NSG defines the inbound and outbound rule.
    you can also refer the below article for more about NSG explanation.
    https://leandrowp.blog/2019/02/07/azure-network-security-group-do-i-need-to-set-an-inbound-or-outbound-rule/
    i hope that helps.

    0 comments No comments

  3. Remco Vermeer 11 Reputation points
    2020-03-04T11:19:48.12+00:00

    Hi Ben,

    I barely use NSG's on NICs, but only on Subnets.

    Keep in mind that all VNET-to-the-same-VNET traffic is default ALLOWED by the default rules. If you want to restrict traffic from one subnet to another subnet in the same VNET you should insert a NEW rule above the default rules (eg. priority 4000) to DENY all traffic from the complete address space from the VNET.

    After which you can ALLOW traffic from 1 subnet to the other by creating a new rule (with priority 200) . eg: Front-Ends-SN to DB-SN.

    Hope this helps and is relatable to your situation.

    KR

    0 comments No comments