Policy is forbidding operations on the Network Security Group resource, which has blocked resize/create/delete of the pool.

Morteza Yahoo 1 Reputation point
2022-11-11T18:01:30.203+00:00

Hi all,

Our IT has implemented a policy that will block any to any ports for management access ports. We have a pool that is part of a Vnet. When we want to resize the pool we get this error: Policy is forbidding operations on the Network Security Group resource, which has blocked resize/create/delete of the pool. If I am not mistaken, management access port is 22. What range of ip address we need to open for azure batch t resolve the issue in our network security group associated with our Vnet.

Thanks for your help

Azure Batch
Azure Batch
An Azure service that provides cloud-scale job scheduling and compute management.
307 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 33,701 Reputation points Microsoft Employee
    2022-11-11T20:45:43.993+00:00

    @Morteza Yahoo
    I understand you have an Azure policy which is preventing changes being made to your Batch pool. You want to know what IP addresses/ports are required. Please correct me if I am misunderstanding. By default the Batch NSG is configured with TCP port 22 or TCP 3389 open to permit remote access. You can use your own custom NSG and port 22 and port 3389 are not required. Please see the required ports in this section.

    Hope this helps! Let me know if you are still facing issues or have further question.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Morteza Yahoo 1 Reputation point
    2022-11-11T21:07:38.7+00:00

    Thanks @deherman-MSFT . I have already opened ports required by Batch account. However, still I am getting this errors. 259597-inbound.png259711-outbound.png

    Error: policyAssignment":{"name":"Deny NSG creation with open management access ports "id":"/providers/Microsoft.Management/managementGroups/<our subscription>/providers/Microsoft.Authorization/policySetDefinitions/cae-initiative-net-denymgmtportwithoutnsg"

    0 comments
  3. Morteza Yahoo 1 Reputation point
    2022-11-16T00:02:02.9+00:00

    Azure batch by default will create a NSG when creating a new pool in two modes of Ip address provisioning type: Batch managed and User managed. What I saw that in this NSG, port 3389 (RDP) is open for TCP Any to Any. Only when we create a pool without public Ip address it won’t generate NSG.
    The cause of failure on resizing the pool was related to port 3389. Our policy will reject opening port 3389 for Any to Any. It only accepts Ip address range not Any.

    0 comments