Hi, I need to free access between subnet for essential windows services like (ARP, Netbios, Domain Client and etc) this for basic operation between subnet. However, the main objective is to release only accesses for example: NSG Web - Web Application only port 80, 443 NSG Database - SQL Server only port1433 Is there a basic template to guarantee this basic communication between virtual machines? Thank you.

Hi @Salves A good starting point I guess would be the article below. It is not the same design but the concept will be very similar: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain For Azure services, you can also use built-in Service Tags in the NSG but unfortunately, they don't have one for your specific scenario but this is still an important one to know to make your life easier at managing rules: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview You will also find additional information on the following articles: http://www.gi-architects.co.uk/2015/10/clientserver-to-domain-controller-dc-ports-for-azure-nsg-firewall/ https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts --I hope this helps. Please do not forget to " Accept the answer " and " Up-Vote " the answer or message(s) that helped you so that it can help others in the community looking for help on similar topics Regards, Didier3001

Creating NSG to block access between subnet

Salves 501

Hi,

I need to free access between subnet for essential windows services like (ARP, Netbios, Domain Client and etc) this for basic operation between subnet.

However, the main objective is to release only accesses for example:

NSG Web - Web Application only port 80, 443
NSG Database - SQL Server only port1433

Is there a basic template to guarantee this basic communication between virtual machines?

Thank you.

GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2020-09-11T12:03:37.5+00:00

Hello @Salves ,

Just checking in to see if @Didier3001 's answer helped. If it answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2020-09-15T07:57:00.947+00:00

Hello @Salves ,

Could you please provide an update on this post?

If @Didier3001 's answer helped your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee

2020-09-16T15:56:35.183+00:00

Hello @Salves ,

Any update on this post?
Kindly let us know if you have any further questions.

Regards,
Gita Sharma

1 answer

Didier3001 1,006 Reputation points Microsoft Employee

2020-09-06T11:10:30.947+00:00

Hi @Salves

A good starting point I guess would be the article below. It is not the same design but the concept will be very similar:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

For Azure services, you can also use built-in Service Tags in the NSG but unfortunately, they don't have one for your specific scenario but this is still an important one to know to make your life easier at managing rules:
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

You will also find additional information on the following articles:
http://www.gi-architects.co.uk/2015/10/clientserver-to-domain-controller-dc-ports-for-azure-nsg-firewall/
https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

--I hope this helps. Please do not forget to "Accept the answer" and "Up-Vote" the answer or message(s) that helped you so that it can help others in the community looking for help on similar topics

Regards,
Didier3001
Please sign in to rate this answer.
Salves 501 Reputation points

2020-09-06T14:42:35.453+00:00

@Didier3001 ,

the last two links I found in my Google searches.

I believed that there was already a template or profile of default rules that we could use for this communication that is native in a Microsoft environment.

What I want to confirm is that I am on the right track, that is, I really need to configure rules to release the necessary ports individually by NSGs.

Either there is another simpler option or if there is another best practice for making this configuration.

Thank you.

Didier3001 1,006 Reputation points Microsoft Employee

2020-09-07T07:34:21.733+00:00

@Salves You are on the right track and as of today, there are no built-in rules to configure this type of communication. Your request does make a lot of sense and I would encourage you to vote for the official request that exists on Azure Feedback website:
https://feedback.azure.com/forums/217313-networking/suggestions/20212072-network-security-groups-windows-server-roles-and

Beside this, if you have multiple servers with the same roles (multiple front-end web servers for example) I would recommend you to use Application security groups.

Regards,
Didier3001
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Creating NSG to block access between subnet

1 answer

Your answer