Hei @Peter Boers ,Thank you for contacting Microsoft Q&A. I am afraid that the problem you asre facing may be due to limited support for IPv6 on Azure. According to the IPV6 Azure Vnet documentation, it says "While it's possible to create NSG rules for IPv4 and IPv6 within the same NSG, it isn't currently possible to combine an IPv4 subnet with an IPv6 subnet in the same rule when specifying IP prefixes." This may be contributing to the behavior. Please mark this as answer if it helped.
Configuring ipv6 NSG rules on expressroute internal ip addresses
When attempting to setup IPv6 NSG rules they either seem to block all traffic or none. Our setup is as follows:
- Expressroute peering towards a dualstack VNet
- A default route is announced over the expressroute towards the VNet
- The VNet hosts an AKS service
- The NSG inbound filter has a deny all rule which is a catch all
- The NSG outbound filter allows all traffic
When attempting to block Ipv6 access to certain TCP or UDP ports this results in a request timeout. An example of what I'm attempting is defining an allow rule for traffic to TCP 80 and 443 to enable access to a webserver available in IPv6 and IPv4. This works fine for IPv4 but not for IPv6. When I attempt to create an IPv6 only rule, it also does not work. When I allow all traffic on IPv6 subnets it does allow traffic (but also traffic to unwanted ports). When I narrow down the source IP prefixes, I am able to filter traffic more accurately, however I also need to be able to filter on TCP and UDP ports. Is anyone experiencing similar problems?