Unable to deny traffic via SSH using Azure Application Security Group

Lakpriya Kottahachchi 1

I am trying to control internet traffic to a vm that is connected to an azure asg. The asg is connected to a nsg that has a set rules. when testing i noted that the vm allows to ssh from any source. am i missing something? here are my nsg rules.

1 answer

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-07-30T08:05:31.873+00:00

Hello @LakpriyaKottahachchi-4754 ,

If the Network Interface of your VM is associated to the ASG NSG with block port 22 rule then you should not be able to SSH to this VM from Internet. Could you please browse to the Network Interface of the VM and check the Effective security rules? Sometimes the VM's NIC may still be connected to it's own NSG and not the ASG NSG. Please check and make sure that the effective security rules has the Deny SSH rule in it.

Kindly let us know if the above helps or you need further assistance on this issue.

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-07-31T09:36:24.857+00:00

Hello @Lakpriya Kottahachchi ,

Any update on this post?

Thanks,
Gita

Lakpriya Kottahachchi 1 Reputation point

2020-08-03T01:28:12.547+00:00

Hello @GitaraniSharmaMSFT-4262,

sorry for the delayed response.
yes the vm-nic is connected to the ASG NSG not to a NSG connected to the vm and the nic is also connected to the ASG. however there seems to be an issue when loading effective security rules in the nic. it just shows as 'loading' but any content don't seem to appear.

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-03T12:21:30.803+00:00

Hello @LakpriyaKottahachchi-4754 ,

The effective security rules should load when the VM is in "Started/Running" mode. You may need to check it again to find out if there is any other rule superseding the Deny SSH rule which is at priority 4000. If you have an allow all rule with a lower priority number than 4000, then it would override the Deny SSH rule. You can try downloading the effective security rules using the "Download" button at the top of that screen as well.

Thanks,
Gita

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-05T07:43:56.527+00:00

Hello @Lakpriya Kottahachchi ,

Any update on this post?

Thanks,
Gita

Lakpriya Kottahachchi 1 Reputation point

2020-08-06T04:43:03.82+00:00

hi,

there is an error when trying to download the security rules.

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-06T08:41:00.277+00:00

Hello @Lakpriya Kottahachchi ,

Could you please send an email to azcommunity@microsoft.com in below format for further investigation?

Subject of the email : Attn: Gishar - Q&A Issue title
Body of the email containing below
Your Subscription ID :
Affected VM name :
Name of the connected ASG :
Name of the connected NSG :
Q&A thread link : https://learn.microsoft.com/en-us/answers/questions/54781/index.html

Thank you for your cooperation on this matter and I look forward to your reply.

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-07T12:25:19.75+00:00

Hello @Lakpriya Kottahachchi ,

Could you please provide an update on this post? We have not received any email from you yet.

Thanks,
Gita

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-10T09:32:15.107+00:00

Hello @Lakpriya Kottahachchi ,

Any updates on this post?

Thanks,
Gita

GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee

2020-08-14T11:24:24.487+00:00

Hello @Lakpriya Kottahachchi ,

I have not received any email from you yet.
Kindly let us know if you need any further assistance on this issue from our end.

Thanks,
Gita
Sign in to comment

Share via

Unable to deny traffic via SSH using Azure Application Security Group

1 answer